Overthewire Natas Level 25 – 26 is based on directory traversal. The code have many restrictions because it sanitizes the user input and makes it harder for us to get the password. Let’s see how can we bypass it and get the access for the next level.
The code for this level is here:
The lang parameter takes user input for the language where we can perform directory traversal. The function safeinclude($filename) takes the filename and checks for ../ and removes it, if it exist in the code. The function strstr() checks if the directory traversal have string natas_webpass in it, and if it exist it will give you an error.
The above code is important, It shows us where the code is actually logging. The highlighted part states the location of the log file which starts with natas25_sessionid where sessionid is the PHPSESSID passing through the header. That is where we will see our password. If you look the above code $_SERVER[‘HTTP_USER_AGENT’], It says that the user agent is also logged in the log file with the date and time.
So our idea is to read the password file through user agent in the header so it got executed in the above code.
The PHP command I have used in User-agent below is:
<? readfile(“/etc/natas_webpass/natas16”) ?>
Once you forward the above request, copy the code in PHPSESSID, It’s time for directory traversal.
Now, we know we can’t use ../ here. So to bypass that I will be using …/./ here the first ../, will be removed and then the first . and the last ./ will be joined forming ../ and hence bypassing the filter. It is same as we write this in SQL injection: UNunionION.
In the above request, I used the directory traversal to access the log file with my SESSION, and there you go, the password for this level will be displayed!