each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. This is no SSH logging. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.
Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5.
After logging in to natas9 we'll see an input box to put words to search for.
When you click the source code you'll get the server side PHP that should look something like this:
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
passthru("grep -i $key dictionary.txt");
}
This checks if something is passed in via the submit button. If it exists and has a value it is passed to grep. The -i flag means to ignore case and dictionary.txt is the file. Since no sanitation is done on the $key variable we will exploit this by passing a linux command as the key to reveal the password.
We want to cat /etc/natas_webpass/natas10 so that will be the main part of our command. We also want to ignore the dictionary.txt so we will use a bash comment ('#') at the end of the command to prevent listing the contents of dictionary.txt. And finally we need to terminate grep before executing our query by using a semicolon. The ending result looks like this:
; cat /etc/natas_webpass/natas10 #Once submitted this will display the password to natas10.
No comments:
Post a Comment