 What's going on guys John Hammond here coming back at you with some more Natus videos from the over-the-wire war game So we just got up to Level six here. We just got the pass before it in the previous videos And again, we're still working with Python scripts that will go ahead and return the Actual password for us or kind of a flag to get us to the next level. So that's been working pretty well for us We're working in Python scripts and now we're on to level six. So let's go ahead and check out what we're working with here We're still using a request object session and When we run this script control B We're not getting an output. Let's find out why Okay, looks like we're good now sweet Let's let's see what this this page is here in the content of the Natus 6 level. There's a post method form. Okay, it says input secret and And checking The secret that that's that's always submit. That's all we're submitting. Okay It's just going to be posted so What is the issue there? Let's try and make a post to it. Let's Change our command here to post to URL And we'll pass in some data. We need right we need the secret To I guess equal anything We'll keep our off like credentials moving in so name equals secret and make sure submit is it should be going through on its own It's submit So now if we run this what was the response? Seemingly nothing. Okay What is going on? Oh Oh, there is a view source code. Okay, totally missed that out. There is a view source dot HTML script here That's linked. So let's see what we've got Maybe it's doing something peculiar with this With this input secret that we're doing. Let's change the URL that we want to Just add the What was it? It was index hyphen source dot HTML after we get that page. Oh goodness gracious. This looks pretty bad let's Encode special characters will that work for us? No Well, what about Tidy HTML HTML tidy will that come to save the day kind of Maybe we can install a package to HTML Escape or Decode and code Dang, how do we HTML escape this? Because we've got all these encoded ones See if there's an easy way to do that Head on over to our friend Google Sublime text HTML Decode De-entitized looks like there's a Package here has commands to convert HTML entities to a character. Let's try that Install package. It was called string and code installed cool HTML De-entitize, okay, that did some stuff will De-entitize again sweet cool. We just got the source code just like that. All right If a reiki exists submit posts if the secret so so this is PHP code, right? You can tell here Denoting Well, at least the the question marks and braces make it say that this is PHP code So if you haven't heard of PHP It is the back-end language on most servers that will do processing of Code and server side code before a page is returned to you. So it looks like it is including Something from a separate file. Maybe we can access that and It looks like it gets a variable secret out of that We can only assume that's how that dollar sign is referred to PHP variables are denoted by a preceding dollar sign in PHP code and it's testing if the Submit Okay, so if it is submitted if the post request has been made it tests if the secret that we posted to it Well, we actually submit through the form is equal to that secret and if it is it will give us the password Okay, so let's check out see if we can access that included file Let's just tack that on To our request change that instead of the instance it is okay cool, and we get the secret here This guy. I don't think that our browser. I don't know if Because normally this clearly this is PHP code. You can tell by the beginning and ending question mark and Greater than less than symbol walka walka whatever you want to call them PHP code here would normally not be rendered out To the web browser you'd not be able to receive that. I think there's an issue in that the designer didn't name that file With a dot PHP extension you can tell Apache or a web server to evaluate things bet You can tell a browser to do some of those things With like evaluate PHP code on things that don't have a PHP extension but it's probably a good idea to use the same extension if you Like if you want to and you can So all that that didn't go through but we got the secret for it. Did I put it in my clipboard? I did okay cool so let's go ahead and paste that or post that in this case with using that as the data that we give that that we submit and Now let's see what the response is Nothing. Why did that happen? I don't think maybe we're not giving the submit key And that's necessary because we aren't giving it. We let's say submit can equal Submit now that should evaluate. Okay, great That PHP code ran and it said great the password for that a seven is here Let's steal this Glad that was able to be echoed out for us Paste that in here. If we run it will we get it? Great. We've got it Let's go ahead and save that So if we had submitted that just how we were in a web browser, let's get let's get to that page and show you how it looks Just even in your web browser All that's happening is Let's go to your native six That that form that input secret form here We're submitting this like all we're doing is Literally typing that in and pressing the click here button. You can see through like your developer tools if you're checking that out in Firefox or your web browser, you can see that you're making a post request when you do that So if I loaded this page here all the get requests that are happening to that URL and if we input a secret here we submit the query you can see that it was posted here and You can check out the headers stuff that we sent it like you've seen before in the previous video Here's the server the content that we're working with and refer we had in here just like a previous video and We actually send it the parameters the data that we're working with Secret that we encoded or secret that we sent and sent as a form data Put into Dictionary data type the pipeline could work with and then we got the response Here's your web page back. Here's everything to give you and since the PHP back-end server code was able to process it We are granted with the natus 7 password neat All right, cool Really, that's all for this video. I think we're dragging on for a little bit of time here So thank you guys for watching. Hope you enjoyed this and we'll move into natus 7 in the next video See you soon