Recap of Last Lesson: We learned more about command injection and how to exploit it. We also revisited directory traversal attacks.

Natas Level 10


Find the password to log into level 11.

Intel Given

  • URL:
  • Source code available

How to

Once more, we have access to the source code of the application. Lets take a quick look. The source code looks very similar to last time. Since it looks almost exactly the same, I’ve chosen to diff the two files to see what the differences are. I used but there are many tools that you can use to do it. Here is a screenshot of my output. Lets examine the code that changed.

if(preg_match('/[;|&]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i $key dictionary.txt");

It seems that the only change is that they added a filter, heeding our advice for input filtering.

Seemingly unable to add on additional commands to the passthru function, we can still try to be creative in thinking up an alternate solution. Lets breakdown the grep command.

grep -i $key dictionary.txt

grep – executes /bin/grep
-i – Perform case insensitive matching.
$key – Our user controllable parameter
dictionary.txt – the file to search

Lets see is we can exploit the logic of the grep query. First we have the command, then a flag, then an option, then a value, and lastly, the file to read from. What if we could change the file that is read from? Perhaps we could have it search the password file.

We will try to figure out how the password file is defined. We see that it comes after the search query. Lets take a quick look at the man page for grep. You will notice something interesting.

The grep utility searches any given input files

Do you see that “s” at the end of file? This means we can search multiple files in a single grep command. This means we can search both the password file and dictionary.txt

Try this query:
a /etc/natas_webpass/natas11

We can assume that this will send the command:

grep -i a /etc/natas_webpass/natas11 dictionary.txt

searching both “/etc/natas_webpass/natas11” and “dictionary.txt” for the letter a.

You will also notice, that this doesn’t get us the results we want. Why not? Because in order for the password to be returned, we need the letter “a” to be present in the password. Let’s try picking a couple of other random letters and see if we can find a match.

Try this query:
u /etc/natas_webpass/natas11


In this lesson we learned about additional ways we can exploit a command injection vulnerability. Last time we learned how to append additional commands, and in this lesson we learned how to analyze the logic of an application and use it in a way the developer did not intend.