The form’s action is pretty self explanatory, but how does it work? passthru() executes system commands and displays the raw output.  They are grepping for $key in the file “dictionary.txt”.  There does not appear to any input sanitation, and this is good news for us 🙂 If we set $key

This looks familiar, let’s jump right into the source code here. It looks like we need to submit a string which will be equal to $encodedsecret after going through their encoding scheme which, when broken down looks like this: If you are unfamiliar with any of these functions I encourage

So we log in to Natas 7 and see two links, let’s click on “home” and check out the page source shall we? There are a couple things to notice here.  After we click on home the address bar in our browser looks like this: http://natas7.natas.labs.overthewire.org/index.php?page=home index.php?page=home means that we

What’s the secret?  Let’s find out! This time they give us the source code to index.php to look at.  This is because when you right click > view source on a php page in your browser, only the html is visible, and not the php code.  The source looks like