This write-up is the walkthrough for OVERTHEWIRE NATAS level 12 to level 14. Both these levels contain upload the image kind of challenges where we have to upload a shell bypassing the code.
LEVEL 12 – 13:
The above image is the screen for overthewore natas challenge 12, When you click on “View sourcecode”, this is what you will find:
The marked number 1 is the php function that checks the size of the file, This file that we upload is renamed using a random function which is written above and the random path is also formed with path “/uploads/”. If you see closely, the number 2 code is the html form code and it takes 2 hidden values, the size and the random name created by php genRandomString() function.
I started burp suite to change the values of the submitted form. In the highlighter strings below,I made the changes.
fi70lbrlhp.jpg was the random name the function generated. I changed the Extension to .php.
pic.php is the actually file, I uploaded which contains the highlighted php code above.
This is the php code used in pic.php file, the one I have uploaded:
<?php echo passthru('cat /etc/natas_webpass/natas13'); ?>
Forward the request.
Click on the generated link above and the password for level 13 will be echoed.
The level is very much similar to level 12, The only difference is that the security is bit high. The file content is checked if it is a image file or not. If you click the view sourcecode button, you will see the code is very similar to level 12 but the only added line is exif_imagetype function, which checks the type of file.
This time, I uploaded an actual image file.
Burpsuite intercept the request:
I changed the number 1 from jpg to php and at number 2, with the content of the image itself, I added a small php code:
<?php echo "<br>"; system("cat /etc/natas_webpass/natas14"); ?>
click on the generated link and the password will appear.