Level 25 Username : natas25 Password :GHF6X7YwACaYYssHVY05cFq83hRktl4c URL : http://natas25.natas.labs.overthewire.org
To solve this level, we first log into the natas25 application using the credentials provided above.
The application provides us with an quoteand the ability to change the language of the quote displayed. Let’s check the source code to learn more about the application.
The application utilizes the following functions:
setLanguage() safeinclude($filename) listFiles($path) logRequest($message)
The setLanguage() function is used to include a file by calling the safeinclude() function. safeinclude() function checks for path traversal by replacing ” ../ ” with a blank, thereby, removing all the occurrences of ” ../ ” in the filename. However, since this pass is only run once, we can create a string that after being passed through the safeinclude() will create an actual filename.
To request access to file /etc/hosts. We will need to first traverse to the /directory and then request for /ets/hosts. Consider the following filename " ....//....//....//....//etc/hosts ". On being passed through the function, the application creates an actual filepath for us. ../../../../etc/hosts is a valid path and application prints the information in the file.
safeinclude() function also checks if the filename contains ” natas_webpass “, therefore, trying to access the password file for next round cause the application to exit.
Therefore, we need to find another way to inject our commands into the application. On careful inspection, we can see that the logRequest() function also inserts information about our browser’s user-agent. This information is controlled by us and the function does not run any checks on the integrity of the input. Therefore, if we can include our own PHP script, the application will execute that and we might be able to retrieve the password for the next level.
The logRequest() function stores information about the request at ” /var/www/natas/natas25/logs/natas25_ session_id() .log “. The value of session_id() is controlled by us as it’s the value of PHPSESSID. If we can include our password file in the log and then request to read the log file, we will be able to attain the password. Since I’m using Burp Proxy, I requested the following to get the password.
GET /?lang=....//logs/natas25_ST.log HTTP/1.1 Host: natas25.natas.labs.overthewire.org Authorization: Basic bmF0YXMyNTpHSEY2WDdZd0FDYVlZc3NIVlkwNWNGcTgzaFJrdGw0Yw== Upgrade-Insecure-Requests: 1 User-Agent: <? include "/etc/natas_webpass/natas26" ?> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: http://natas25.natas.labs.overthewire.org/ Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 Cookie: PHPSESSID=ST Connection: close Content-Length: 0
The User-Agent field is used to read the password file and the contents are put into /var/www/natas/natas25/logs/natas25_ST.log . You can create your own value of PHPSESSID, however, make sure to use the same value while creating the path.
As we can see above, the application responds with the password for next level.
Level 26 Username : natas26 Password : oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T URL : http://natas26.natas.labs.overthewire.org