OverTheWire Wargames :: Natas

Level 24 > Level 25

natas24-01

 <html>
<head>[...]
<script>var wechallinfo = { "level": "natas24", "pass": "<censored>" };</script></head>
<body>
<h1>natas24</h1>
<div id="content">

Password:
<form name="input" method="get">
    <input type="text" name="passwd" size=20>
    <input type="submit" value="Login">
</form>

<?php
    if(array_key_exists("passwd",$_REQUEST)){
        if(!strcmp($_REQUEST["passwd"],"<censored>")){
            echo "<br>The credentials for the next level are:<br>";
            echo "<pre>Username: natas25 Password: <censored></pre>";
        }
        else{
            echo "<br>Wrong!<br>";
        }
    }
    // morla / 10111
?>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

This one was baffling at first. The only way !strcmp($_REQUEST["passwd"],"<censored>" is going to be true to proceed into the conditional is if strcmp returns 0, which only occurs when the strings are equal including case. Sooo we have to completely guess the password and that’s it?

I happened to notice in the HTML head, which I normally remove, that the password to the current level for wechallinfo is censored. Normally the current passsword is shown there because we already know it.

<script>var wechallinfo = { "level": "natas24", "pass": "<censored>" };</script>

Is the current password what we’re looking for?

natas24-02

Damn. Not sure I really understand this one despite, ya know, getting it.

GHF6X7YwACaYYssHVY05cFq83hRktl4c