Natas · OverTheWire

Natas Level 24 → Level 25

Level 24

Username : natas24
Password :OsRmXFguozKpTZZ5X14zNO43379LZveg
URL : http://natas24.natas.labs.overthewire.org

Solution

To solve this level, we first log into the natas24 application using the credentials provided above.

The application looks similar to the last level. Let’s evaluate the source code again.

<?php
if(array_key_exists("passwd",$_REQUEST))
{
    if(!strcmp($_REQUEST["passwd"],"<censored>"))
    {
        echo "<br>The credentials for the next level are:<br>";
        echo "<pre>Username: natas25 Password: <censored></pre>";
    }
    else
    {
        echo "<br>Wrong!<br>";
    }
}
// morla / 10111
?>

As we can see the application compares the passwd REQUEST variable with a censored value. If the comparison returns 0, i.e the values match, the application returns the password for the next level. Let’s see the different possible values returned by strcmp function:

Returns < 0 if str1 is less than str2; > 0 if str1 is greater than str2, and 0 if they are equal.

While searching for strcmp vulnerabilities, I came across this link. The link mentions that if the strcmp function is used to compare a string with an array, the function returns 0. If this holds true in our case, modification of variable passwd to passwd[] should give us the password for the next level.

 

As we can see, the application returns a warning along with the password.

 

Level 25

Username : natas25
Password : GHF6X7YwACaYYssHVY05cFq83hRktl4c
URL : http://natas25.natas.labs.overthewire.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s