Natas Level 9 → Level 10

From the page source, we can see that the word enter into the query will be $key. And if $key is not empty, it will search the dictionary.txt and return anything that contain the $key.

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
 $key = $_REQUEST["needle"];
}

if($key != "") {
 passthru("grep -i $key dictionary.txt");
}
?>

However, upon closer inspection, the $key is not being sanitize and use as it in the command line. Therefore, we can inject additional commands as we see fit. One thing we also know is that the password is store in /etc/natas_webpass/natas10 for natas10. In terminal, we can use cat to display the content of the file. Another thing we need to know is how to execute multiple commands in one line (; or &&). Finally, if we don’t want to deal with the remaining command after ours, we need to comment out the remaining line (#). Thus, enter something like this in the query

; cat /etc/natas_webpass/natas10 #

will give us the next password.

nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Here are some references to cat and other shell commands. OverTheWire – Bandit is also a great way to learn shell commands.

This is very similar to SQL injection.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s