Again, view the sourcecode.
Let’s try testing the search function and see how it relates to this sourcecode. I’ll search for ‘test’.
Alright, it looks like it uses grep to search a dictionary file for our search term. Since it’s already running a command with passthru(), maybe we can make it run a command of our own.
Let’s prematurely end the grep and see what’s in the working directory with ;ls.
Ooooo, we can run our own commands. From Natas 7, we saw that passwords are stored in /etc/natas_webpass. Let’s read the password for natas10 with ;cat /etc/natas_webpass/natas10.