 Natus level 22 starts out with practically nothing on the web page So the first thing to do is just go ahead and take a look at the source code See if they actually are trying to hide anything here So I'll paste that URL into our Python script and we'll go ahead and download the page gonna need to de-entitize this all again That's okay remove any break statements or anything else that we have in there That's getting in the way, but it looks like at the very start of the web page There's some PHP code here It starts with the new session and then determines if an array key exists if there's a get parameter Revealio, I don't know. I would assume this is revealio since they're trying to reveal the password And the common here is only admins can reveal the password So this is interesting because it's testing if the session admin key exists, and if it's set to one But only if it's not set to one it'll do something It will redirect you or it'll set a header location like an HTTP header to move you back to another page Like the root directory or the root page of the website here So that's peculiar because it only does it if you are not admin But the only PHP code in the page here is testing whether or not you're passing the Revealio tag in they the HTTP get variable. It doesn't worry about the session admin here So is there a way we can ignore being moved or Following a redirect if we just supply this get parameter But we don't know this admin session or read because it doesn't look like there's any way to actually set this There's no vulnerability to Kind of get in the way or inject this admin credential in our session. So let's try Just trying to run with this Revealio HTTP get variable and it looks like it will just bring us to the page Yeah, so no no admin credentials there Because it redirected us right because we weren't session admin so it kicked us back. Is there a way we can ignore that header Absolutely so you can totally do this in burp if you wanted to because burp will see the original request return the output to you And then move you along with the redirect if you want it to but since we're doing this in Python with requests That module is gonna follow the redirect, but by default You can turn that off allow redirects That's another keyword argument for a get request You can just say false and that will load only that page the one that you requested So now if I go check this out. Hey, you're an admin Even though we haven't modified that session admin variable that PHP global and session We are still able to get through it because of the code in the website We're not being redirected because just telling us no browser I don't want you to do that stay where you are credit us with the next level We've got the password and we can move on so credit a new script here. I'll call this natus 23 Paste the password in and we will keep moving. We don't need to do this allow redirects anymore But that's something good to know Maybe you do want to use that allow redirects keyword argument more often in some of your Python scripts If you're doing some of this webhack and CTF style stuff. So thank you guys for watching. Hope you're enjoying these If you are, please do like the video. Maybe leave me a comment Let me know what you think what else you'd like to see how you solve this and what I can do better If you're willing to subscribe and if you really want to support me, please check me out on patreon A shout out to the people that already support me on patreon Spencer Clark Thank you so much for your support You are helping the channel grow and develop and helping me out for sure I do know the reward if you support me whatsoever through patreon I'll give you a shout out and include this stuff at the end of the video And if you've five dollars or more, I'll let you see some YouTube videos in advance before I get them uploaded or scheduled So thanks for watching. See you soon