Natas7 opens up with yet another sparse page, this time including a couple of links for home and about. Clicking on them doesn’t seem to reveal much of interest. Checking the source code, we’re offered a more explicit hint: <!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
Ok, with that in mind, the obvious intention is to somehow trick this page into giving us the contents of that file. We have to ask ourselves exactly what we have control over in the given situation. If we had been attentive while checking the home and about links, we might’ve noticed that instead of directing us to different pages, it appears to be passing different parameters back to the index page.
From this, we might make the assumption that the code on the server side is loading some kind of template based on the parameter being sent. At this point, it should be more clear what the intended solution is. If we can redirect the page to load the natas8 file instead, we can waltz into natas8 like we own the place. We don’t know where exactly the html is located on the server file system, but thankfully we can navigate to the root of the file server by throwing in as many parent directory references as we need.
