Natas Level 7 – User Input and Unsafe Includes

In this post we’re going to be looking at Level 7 of the Natas wargame from Over The Wire.

What’s Going On?

Upon logging in, we are presented with a page with two links.  Let’s view the page’s source first.  Upon doing this, we get a comment hint that the password for the next level is located in the file at /etc/natas_webpass/natas8.  We also see that the two links are links to the current page with a value assigned to the “page” variable.  The value is passed via the URL and GET style arguments, making it easy to edit.  If we go back and click on either link we can see some text on each page.

This site navigation option of taking a page name as a variable has many positive sides from a web-programmer’s point of view.  However, let’s look at how it is implemented in this page.  The simplest thing to conclude would be a simple include($_GET[‘page’]); call.  This would, in the example of home and about, simply get files called home or about.  Let’s check this idea by requesting those URLs ourselves and checking they exist and match what we saw earlier on those pages.  We should find http://natas7.natas.labs.overthewire.org/home and http://natas7.natas.labs.overthewire.org/about both exist, and have our expected values.  Thus, let’s make the assumption we figured out how the include works.  How can we use this to get the password to the next level?

Exploit

Since the include file is specified via the page variable, let’s think about what we can supply as the page variable to get the password to the next level.  As we saw in the comment hint, the password is stored in the file /etc/natas_webpass/natas8.  So, let’s try supplying that as the value of the page variable!  Requesting the page, http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8, we get a response with the password for level 8.

So What?

So what!?  So don’t blindly let users access files or provide absolute and full file locations!  Use some input sanitation! Start from the current directory (string concat “./”.$sanitizedUserInput).  Append file types!  There are various options at making this safer, but having un-sanitized user provided data act as absolute file paths on the server, is not a good idea.

This entry was posted in Natas, Over The Wire, Wargames. Bookmark the permalink.

Leave a Reply

Your email address will not be published.