OVERTHEWIRE NATAS SERIES: LEVEL 12 – 14

This write-up is the walkthrough for OVERTHEWIRE NATAS level 12 to level 14. Both these levels contain upload the image kind of challenges where we have to upload a shell bypassing the code.

LEVEL 12 – 13:

overthewire natas 12-13

The above image is the screen for overthewore natas challenge 12, When you click on “View sourcecode”, this is what you will find:

overthewire natas 12-13

The marked number 1 is the php function that checks the size of the file, This file that we upload is renamed using a random function which is written above and the random path is also formed with path “/uploads/”. If you see closely, the number 2 code is the html form code and it takes 2 hidden values, the size and the random name created by php genRandomString() function.

I started burp suite to change the values of the submitted form. In the highlighter strings below,I made the changes.

overthewire natas 12-13
fi70lbrlhp.jpg was the random name the function generated. I changed the Extension to .php.
pic.php
is the actually file, I uploaded which contains the highlighted php code above.

This is the php code used in pic.php file, the one I have uploaded:

<?php echo passthru('cat /etc/natas_webpass/natas13'); ?>

Forward the request.

overthewire natas 12-13
Click on the generated link above and the password for level 13 will be echoed. overthewire natas 12-13

LEVEL 13-14:

The level is very much similar to level 12, The only difference is that the security is bit high. The file content is checked if it is a image file or not. If you click the view sourcecode button, you will see the code is very similar to level 12 but the only added line is exif_imagetype function, which checks the type of file.overthewire natas 13-14
overthewire natas 13-14

This time, I uploaded an actual image file.
Burpsuite intercept the request:

overthewire natas 13-14 1

I changed the number 1 from jpg to php  and at number 2, with the content of the image itself, I added a small php code:

<?php echo "<br>"; system("cat /etc/natas_webpass/natas14"); ?>

click on the generated link and the password will appear.

overthewire natas 13-14 2

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.