Recap of Last Lesson: We learned more about encoding in PHP and how to analyze functions.

Natas Level 9

Objective

Find the password to log into level 10.

Intel Given

  • URL: http://natas9.natas.labs.overthewire.org/
  • Source code available

How to

Like last time, it appears we have access to the source code of the application. This will almost certainly be interesting to us. Check out the source code here. Like before, we will look at the source code and look at the relevant PHP. Here is the PHP portion:

$key = "";

if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}

if($key != "") {
passthru("grep -i $key dictionary.txt");
}

So from the top down:

  • A variable named $key: this variable is initialized to a blank string.
  • An if statement that looks for a variable in the request named “needle”, and applies the value to the “key” variable.
  • And if statement that performs an action if the key is not an empty string.
  • the Passthrough function is called.
  • Lets run a quick test. In the search box, search for “test”. In the address bar of our web browser, we should now see:

    http://natas9.natas.labs.overthewire.org/?needle=test&submit=Search

    This give us an idea of how the user can pass variables to the server. Notice our search for “test” assigned that value to a variable named “needle”. Going back to our analysis of of the source code, we know that the value of “needle” will be assigned to the “key” variable.

    With is we can infer that PHP will then execute:

    passthru("grep -i test dictionary.txt");

    It’s important that we understand the passthru function. We can look it up in the PHP documentation.

    We see that this function is used to execute a command, just as we would on the command line. This can be dangerous. Review the relevant OWASP wiki and Wikipedia page for command injection. On the Wikipedia page, notice the entry for “sequential execution”. In bash, we can execute multiple commands on a single line. Lets try it. In the search bar, enter

    test; ls
    

    Notice that instead of returning the output of the search, we instead see the output of the “ls” command. Now apply the techniques you learned from Natas level 7. By inserting a “../” we can traverse upward toward the root directory, and navigate ourselves towards the directory which holds the password.

    Try this query:
    test; ls ../../../../etc/natas_webpass

    If you are not quite sure what is happening, revisit the OWASP documentation for path traversal. Now that we see the password file in the directory listing, we can swap out the “ls” command for the “cat” command.

    Try this query:
    ;cat ../../../../etc/natas_webpass/natas10

    Success! We have retrieves the password for Natas 10.

    Conclusion
    In this lesson we learned of a new attack vector called “command injection” or “code injection”. We revisited previously learned methods such as path traversal. Passing user defined parameters directly to the command shell is dangerous, and input should always be sanitized if this functionality is needed.