each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. This is no SSH logging. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.
Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5.
After logging in to natas10 we'll see an input box looking for the secret and a link to view the source code.
When you click the source code you'll get the server side PHP that should look something like this:
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
if(preg_match('/[;|&]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i $key dictionary.txt");
}
}
This looks a lot like the last one, but now there is a check to see if valid input is passed in via the submit button. If it exists and has a value it is sanitized to check for ";" "|" and "&" before it is passed to grep. I decided to use the -v flag to look for an inversion of the /etc/natas_webpass/natas11 file. The -v inverts the sense of matching, to select non-matching lines.
-v "#" /etc/natas_webpass/natas11 #In other words, we are telling it to display all lines in /etc/natas_webpass/natas11 that do not have a '#' in them. Which will return the password because the file does not contain '#'!
Another way we could do this is to use the back ticks to substitute a command like the following:
`cat /etc/natas_webpass/natas11` /etc/natas_webpass/natas11 #This will substitute the contents of natas11 as the string to search for in /etc/natas_webpass/natas11 - which should be everything.
Whichever method you used will display the password to natas11.
No comments:
Post a Comment