{"id":338,"date":"2012-10-31T17:45:33","date_gmt":"2012-11-01T00:45:33","guid":{"rendered":"http:\/\/seanmurphree.com\/blog\/?p=338"},"modified":"2012-10-31T17:45:33","modified_gmt":"2012-11-01T00:45:33","slug":"natas-level-10-input-sanitization","status":"publish","type":"post","link":"https:\/\/seanmurphree.com\/blog\/?p=338","title":{"rendered":"Natas Level 10 – Input Sanitization"},"content":{"rendered":"

In this post we’re going to be looking at Level 10 of the Natas wargame, hosted by Over The Wire.<\/p>\n

What’s Going On?<\/h2>\n

Upon logging in, we should see that this level seems very similar to the previous. \u00a0In fact, it’s presented the same except it tells us that it performs user sanitization (“we now filter on certain characters”). \u00a0Checking the HTML and PHP source code we see very little differences except for one check in the PHP code. \u00a0This check is a regex expression checking for any instance of ; | or &. \u00a0These characters are used on the linux shell to separate commands, and thus, this is an attempt to make sure our page only submits on command to passthru(). \u00a0So, how can we make use of our position of supplying data to passthru and to grep, to get the password for the next level?<\/p>\n

Exploit<\/h2>\n

While we can’t easily supply multiple commands, maybe we can make use of the grep command. \u00a0Looking at how the key is combined with grep, let’s try and figure out a way to read the password file. \u00a0With grep, we could supply empty quotes to list the contents of the directory file, and if we try it, it works. \u00a0Submit “” and see the contents of the file! \u00a0Next, we need to specify a different file. \u00a0Well, luckily, with grep we can specify multiple files to search through! \u00a0Thus, let’s try “” \/etc\/natas_webpass\/natas11. \u00a0Low and behold we get the contents of the password file followed by the contents of the dictionary.txt file!<\/p>\n

So What?<\/h2>\n

So again, even with “sanitization,” one must be aware of what to sanitize. \u00a0This level did a fine job preventing users from submitting multiple commands to the shell, however the desired command itself also has areas which made it a vector for leaked information, a vector of attack.<\/p>\n","protected":false},"excerpt":{"rendered":"

In this post we’re going to be looking at Level 10 of the Natas wargame, hosted by Over The Wire. What’s Going On? Upon logging in, we should see that this level seems very similar to the previous. \u00a0In fact, … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[36,35,4],"tags":[],"_links":{"self":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/338"}],"collection":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=338"}],"version-history":[{"count":2,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/338\/revisions"}],"predecessor-version":[{"id":340,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/338\/revisions\/340"}],"wp:attachment":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=338"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=338"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=338"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}