The 6th level of the OverTheWire Natas wargame starts introducing us to PHP and server configuration issues.

It starts out with a secret password prompt.

I took a look at the sourcecode, via the link provided.

I decided I would try and see if I could request the “secret.inc” file, and it worked perfectly.

After I put in the secret value into the input box, it showed me the password for the next level.

This level teaches that files that contain secrets should never be publicly accessible. Either put them in server-side code so that they’re not rendered, or put them out of the webroot.