In this post we’re going to be looking at Level 10 of the Natas wargame, hosted by Over The Wire.
What’s Going On?
Upon logging in, we should see that this level seems very similar to the previous. In fact, it’s presented the same except it tells us that it performs user sanitization (“we now filter on certain characters”). Checking the HTML and PHP source code we see very little differences except for one check in the PHP code. This check is a regex expression checking for any instance of ; | or &. These characters are used on the linux shell to separate commands, and thus, this is an attempt to make sure our page only submits on command to passthru(). So, how can we make use of our position of supplying data to passthru and to grep, to get the password for the next level?
Exploit
While we can’t easily supply multiple commands, maybe we can make use of the grep command. Looking at how the key is combined with grep, let’s try and figure out a way to read the password file. With grep, we could supply empty quotes to list the contents of the directory file, and if we try it, it works. Submit “” and see the contents of the file! Next, we need to specify a different file. Well, luckily, with grep we can specify multiple files to search through! Thus, let’s try “” /etc/natas_webpass/natas11. Low and behold we get the contents of the password file followed by the contents of the dictionary.txt file!
So What?
So again, even with “sanitization,” one must be aware of what to sanitize. This level did a fine job preventing users from submitting multiple commands to the shell, however the desired command itself also has areas which made it a vector for leaked information, a vector of attack.