Natas Level 7
The level opens up with two buttons, Home and About. Upon my previous readings about php, I've been made aware that php injections exist. Simply by changing the url, you can access different php pages, functions, etc. In this case there was a clue left in the comments that accessing /etc/natas_webpass/natas8 would return a password, so I just entered that into the ?page= query and boom
pass for next level: a6bZCNYwdKqN5cGP11ZdtPg0iImQQhAB
Natas Level 8
Similarly, this level opens up with an input secret screen. This time, as I read about before, the secret is encoded via a function written in the php script.
Reading the encodeSecret function, I can just reverse what it’s doing to decode the secret.
Steps to decode:
- Hex2bin
- Reverse string
- Base64_decode
Following those steps and putting the result into the input box worked!
pass for the next level: Sda6t0vkOPkM8YeOZkAGVhFoaplvlJFd
Natas Level 9
Looking into the source code we see that there is another php function that we can exploit!
I wasn’t sure if it would sanitize the input, so I tried a bunch of things. At the end of it I remembered back to when I solved Narnia 0 (a different overthewire wargame) and I used ; to send multiple commands in, noticing that it was using shell commands, I considered trying something a bit more useful than grep.
Bingo, now from what I remember from previous levels - the passwords are stored in a particular folder, so I used cat to try and find it by entering: ; cat /etc/natas_webpass/natas10
pass for next level: D44EcsFkLxPIkAAKLosx8z3hxX1Z4MCE
Natas Level 10
Upon reading the sourcecode, it seems that they are checking the input using preg_match - a simple regex matching function for php.
I won’t be able to use command injection anymore to just cat the file containing the password. Now we can try to attack the weakest thing there which is the part that lets us use user input! The key changes depending on what we input, for example, when using the search term ‘africa’ - grep searches for words that contain africa, and does it while ignoring cases due to the -i flag.
Reading the grep man page, we can see that multiple files can be searched at once!
This means we can likely use grep to expose the password for us again by searching the /etc/natas_webpass/level11. However, since we’re using grep, we’ll need to use our input to try and guess letters in the password for it to spit it out. We’ll guess using a, so our input should look like
Input: a /etc/natas_webpass/level11
We know that the grep input worked, as it is now specifying the files from which grep is pulling text from.
Luckily, the password contained the letter ‘a’ so we are in!
Pass for next level: 1KFqoJXi6hRaPluAmk8ESDW4fSysRoIg
What I learnt
I have previously learnt about shell from one of my classes in university, but it was never used in an exploitative manner. Seeing these tools be used in this way taught me that even things designed to help people can be used in damaging ways. Something that has been taught to me in class is that developers should whitelist and not blacklist. Alot of these levels involve some form of blacklisting, and the vulnerability is in exploiting something that wasn't included in the blacklist.
Top comments (0)