Natas Level 9 → Level 10

From the page source, we can see that the word enter into the query will be $key. And if $key is not empty, it will search the dictionary.txt and return anything that contain the $key.

$key = "";

if(array_key_exists("needle", $_REQUEST)) {
 $key = $_REQUEST["needle"];

if($key != "") {
 passthru("grep -i $key dictionary.txt");

However, upon closer inspection, the $key is not being sanitize and use as it in the command line. Therefore, we can inject additional commands as we see fit. One thing we also know is that the password is store in /etc/natas_webpass/natas10 for natas10. In terminal, we can use cat to display the content of the file. Another thing we need to know is how to execute multiple commands in one line (; or &&). Finally, if we don’t want to deal with the remaining command after ours, we need to comment out the remaining line (#). Thus, enter something like this in the query

; cat /etc/natas_webpass/natas10 #

will give us the next password.


Here are some references to cat and other shell commands. OverTheWire – Bandit is also a great way to learn shell commands.

This is very similar to SQL injection.