OverTheWire Wargames :: Natas :: Level 22
Level 22 > Level 23
A blank page. At least I assume it’s supposed to be blank and the crazy PHP errors are a temporary issue… it did not seem to affect getting through the level.
Source:
<?
session_start();
if(array_key_exists("revelio", $_GET)) {
// only admins can reveal the password
if(!($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1)) {
header("Location: /");
}
}
?>
<html>
<head>[...]</head>
<body>
<h1>natas22</h1>
<div id="content">
<?
if(array_key_exists("revelio", $_GET)) {
print "You are an admin. The credentials for the next level are:<br>";
print "<pre>Username: natas23\n";
print "Password: <censored></pre>";
}
?>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
The first PHP block adds a Location: /
header if you don’t have the admin
session variable. The second bit of PHP will dump the password if it sees the GET parameter “revelio.”
In this case we don’t have to bother with injecting into the session variable. If you just add “revelio” you won’t see much in your browser because it will refresh back to /
but we can see what happened in the local proxy.
As expected.
D0vlad33nQF0Hz2EP255TP5wSW9ZsRSE