This article is the continuation of OVERTHEWIRE Natas walkthrough Series. The links of the last article are here:
Level 9 – 10
Login from the password we obtained in the last article. This screen will appear. If you search anything on it, it will give you some words related to the words you entered.
So, Let’s view the Source code.
If you see the code marked in red above. The code here says that whatever user enters on the search will be taken for grep command using passthru function of PHP that is used to run system based commands on the web platform. This is the actual code of Command Injection vulnerability, where you can inject malicious commands in order to obtain information as well as own the system.
So here we will use stacked command concept, in which we can run more than one command in a single line. We already know the that all the passwords for natas based level are in “/etc/natas_webpass/natas__” where the dash will contain the level number. We know this from Level 7 – 8.
Now, lets run some command to check if the commands are running, I have used the command: blah & ls -la
The output here lists the file exist in the current directory.
Let’s do the real deal by obtaining password for natas10. The command I have entered is: & cat /etc/natas_webpass/natas10
This gave us the password.
LEVEL 10 – 11
This level is similar to the level above, but here they have security filter.
In the code below, preg_match() function is used which checks the input by the user for ‘/[;|&]/’ character and printing out error if the search term contains anyone of those.
So, it took me a while and a lot of searches to find bypass this. The command which I have used is: … cat //etc/natas_webpass/natas11
‘…’ these will bypass the filter causing it to run stack commands.
There you go now, password for the 11th level!