Natas · OverTheWire

Natas Level 9 → Level 10

Level 9

Username : natas9
Password : W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
URL : http://natas9.natas.labs.overthewire.org

Solution

To solve this level, we first log into the natas9 application using the credentials provided above.

After logging in, we can see that the application looks like a search application which searches for input characters in a dictionary. Upon looking at the source code, we can see that the dictionary is available here ‘ http://natas9.natas.labs.overthewire.org/dictionary.txt ‘.

The application code utilizes passthru() function to grep for the searched term using a GET parameter ‘ needle ‘. The passthru() function is similar to the exec() function in that it executes a command. This function should be used in place of exec() or system() when the output from the Unix command is binary data which needs to be passed directly back to the browser.

As we can see, the application does not validate the data entered in the GET parameter and simply passes it to the passthru function call. Therefore, the passthru function seems vulnerable. Lets validate this by passing ” ;echo hello; “. The passthru function performs the querypassthru(“grep -i;echo hello;dictionary.txt”); ” and prints hello on the screen.

If we pass the file location of the password for natas10, the application should respond back with the password. We now pass ” ; cat /etc/natas_webpass/natas10;  ” as the search term and Voila!, the application responds with the password for natas10.

Level 10

Username : natas10
Password : nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
URL : http://natas10.natas.labs.overthewire.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s