Natas Level 16 → Level 17

This looks similar to Natas Level 10 → Level 11 except with more illegal character.

$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];

if($key != "") {
    if(preg_match('/[;|&`\'"]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i \"$key\" dictionary.txt");

If we put any word as input, it will search the dictionary (regardless of case, grep -i) and output all those words. As you can see the input is not sanitize except for those illegal character. What we need is to craft commands that fit into $key and give us back the next password. From bash, we found that () can be use to execute subshell commands and using $, we can substitute the result of the subshell  into the grep -i command above. We can use cut to get one character at a time from the default password file.

$(cut -c 1 /etc/natas_webpass/natas17)
When we enter this in the input, we got nothing. However, if we try the second character, we immediately get a full page of text. What happen is that the dictionary file does not contain digit, only letters. The second letter of the password seems to be a p or P but we don’t know because the grep in front have -i option to ignore case. We could try to use grep instead like we did in our last challenge. Since we know the first character is probably a digit from our cut command, we can check all digit using this.
$(grep ^0 /etc/natas_webpass/natas17)
If we run the above command from 0-7, we will be greeted with the whole dictionary file. However, when we hit 8, nothing output. This mean that 8 is in the next password. Let’s append a word at the end so that when we didn’t match, it will return that word, and when we found the correct character, that character will prepend the word and cause no match to the dictionary.
$(grep ^8 /etc/natas_webpass/natas17)Africans

Now, we will reuse our script from last level and tweet it to input the above and vary the character we search. Notice we can just change the url encoding each time we try a different character. The first “X” after grep is the location where your password string go as you discover each character.

We can also try to do a binary search by using more than one character inside [] after the ^.

$(grep ^8[01234567890] /etc/natas_webpass/natas17)Africans

For example, the above will check if the second character is also a digit after we find the correct first digit (8). Once you loop through all 32 characters (we will assume its 32 but you can test it by append a wild card at the end each time to verify if there are more undiscover character), the next password will be your final output.


Additional resources: