OVERTHEWIRE Natas: Walkthrough series Level 9 – 11

This article is the continuation of OVERTHEWIRE Natas walkthrough Series. The links of the last article are here:

Overthewire Natas: Walkthrough Series Levels 1 – 4

Overthewire Natas: Walkthrough Series Levels 4 -7

OVERTHEWIRE Natas: Walkthrough series Level 7 – 9

 

Level 9 – 10

Login from the password we obtained in the last article. This screen will appear. If you search anything on it, it will give you some words related to the words you entered.

overthewire 111

So, Let’s view the Source code.

overthewire natas10-11-3

If you see the code marked in red above. The code here says that whatever user enters on the search will be taken for grep command using passthru function of PHP that is used to run system based commands on the web platform. This is the actual code of Command Injection vulnerability, where you can inject malicious commands in order to obtain information as well as own the system.
So here we will use stacked command concept, in which we can run more than one command in a single line. We already know the that all the passwords for natas based level are in “/etc/natas_webpass/natas__” where the dash will contain the level number. We know this from Level 7 – 8.

Now, lets run some command to check if the commands are running, I have used the command: blah & ls -la

The output here lists the file exist in the current directory.

overthewire natas10-11-3

Let’s do the real deal by obtaining password for natas10. The command I have entered is: & cat /etc/natas_webpass/natas10

This gave us the password.

overthewire natas10-11-3

LEVEL 10 – 11

This level is similar to the level above, but here they have security filter.

overthewire natas10-11-3

In the code below, preg_match() function is used which checks the input by the user for ‘/[;|&]/’ character and printing out error if the search term contains anyone of those.

overthewire natas10-11-3

 

So, it took me a while and a lot of searches to find bypass this. The command which I have used is: … cat //etc/natas_webpass/natas11

‘…’ these will bypass the filter causing it to run stack commands.

overthewire natas 10-11-3

There you go now, password for the 11th level!

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.