OverTheWire Natas Level 11 -> Level 12 - Walkthrough

OverTheWire Natas Solution

Introduction

In this level, I'll give you a walkthrough to the natas wargame Level 11 -> Level 12. We will see the Unrestricted File Upload vulnerability in this level and upload our code to get the password.

Goal

Login to natas12 and get the password for next level.

Login details

URL - http://natas12.natas.labs.overthewire.org
Username - natas12
Password - YWqo0pjpcXzSIl5NMAVxg12QxeC1w9QG

Theory

Unrestricted File Upload vulnerability allows an attacker to upload a file to the website with malicious code. It can be executed and the application can be compromised. If there is any place on the website where it allows user to upload any file then there should be proper checks and controls implemented so that unforeseen circumstances can be prevented.

mt_rand() is function in php which generates random integers within the specified range. Syntax - mt_rand(min,max)

file_exists() is another php function used in the code in this level. It checks whether a file/directory exists or not and returns true or false. Syntax - file_exists(path)

pathinfo() is a php function which tells information about a file path. We are required to pass the path and an optional parameter contains the file path information. PATHINFO_EXTENSION is an optional parameter which contains only the extension of the file. If the option parameter is omitted then the function returns an associative array containing dirname, basename, extension and filename. If it is specified then a string is returned with the requested element. Syntax - pathinfo(path, options)

filesize() function returns the size of the file. It is used in the code to check whether the uploaded file is less than 1 kb or not. Syntax - filesize(file)

move_uploaded_file() function in php moves the uploaded file to a new destination path. Syntax - move_uploaded_file(file, destination)

Solution

Open the URL in a browser. Enter the username and password mentioned above.

The below screen appears on successfully logging in with an option to choose a jpeg file to upload.

Lets see the source code. Click on "View sourcecode".

genRandomString function generates a 10 character long random string and returns it.

makeRandomPath function creates a random filename by using the extension passed to it.

makeRandomPathFromFilename function creates a new file name by extracting the extension from the filename and uses it to call makeRandomPath function.

The php code checks whether the file uploaded by the user is less than 1 kb or not. If it is, then it moves the uploaded file to a new destination.

Lets upload any jpg file and see the output.

After uploading the file, a link to the image is displayed on the screen and on clicking it, the image gets displayed. Notice that the extension is jpg.

So if we upload a php code on that application, we can execute it and get the password. Therefore, we can exploit the Unrestricted File Upload vulnerability and run our code.
Write below code in a file and save it in local system as script.php-:
<?
echo shell_exec('cat /etc/natas_webpass/natas13');
?>

Since, the application changes the extension to jpg after uploading any file type, we will have to change the extension after selecting our file. We can find this in the html code written for form in the source code.

Right Click->Inspect->Elements.
Now, click on "choose file" and select "script.php".

Therefore, we will go to the dev tools and change the extension to php.

Now, click "upload file" and we can see a link. Notice that this is link has php extension and it will get executed on clicking it. 

Click on the link and we will get the password.

This completes the walkthrough for Level 12 as we have got the password for natas13. Please post your doubts and questions in the comment section.