Monday, October 29, 2012

OvertheWire - Natas Wargame Level 9 Writeup

Level 9

Using the credentials obtained in the previous writeup, we can log in to Level 9, where we are presented with the following:


As always, it's off to the source for more info:

 <html>  
 <head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head>  
 <body>  
 <h1>natas9</h1>  
 <div id="content">  
 <form>  
 Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>  
 </form>  
 Output:  
 <pre>  
 <?  
 $key = "";  
 if(array_key_exists("needle", $_REQUEST)) {  
   $key = $_REQUEST["needle"];  
 }  
 if($key != "") {  
   passthru("grep -i $key dictionary.txt");  
 }  
 ?>  
 </pre>  
 <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>  
 </div>  
 </body>  
 </html>  

We can see that this code takes in a keyword as input, and uses the passthru function to perform a system command to grep through a file for the specified keyword. Without sanitation, a command execution vulnerability exists in this code. Let's exploit it to obtain the password for natas10 (located in /etc/natas_webpass/natas10). We can do so using the following 'keyword':

win; cat /etc/natas_webpass/natas10 #

This command terminates the grep command (using the 'win' keyword), and cats the output of the natas10 password file. It then comments out the reference to 'dictionary.txt'. Let's see what happens:


Just as we expected, we are given the password for natas10, which we can use to log in to the next challenge. More writeups to come.

-Jordan

No comments:

Post a Comment