OverTheWire Natas Level 12 -> Level 13 - Walkthrough

OverTheWire Natas Solution

Introduction

In this level, I'll give you a walkthrough to the natas wargame Level 12 -> Level 13. The source code of this level is similar to the last level with extra checks to allow only image files to be uploaded. We will bypass it and upload our php code to get the password of next level.

Goal

Login to natas13 and get the password for next level.

Login details

URL - http://natas13.natas.labs.overthewire.org
Username - natas13
Password - lW3jYRI02ZKDBb8VtQBU1f6eDRo6WEj9

Theory

exif_imagetype() is a php function which is used to determine the type of an image. It reads the first bytes of an image and checks its signature. We will therefore allow the application to read our code as a GIF and upload it.

Solution

Open the URL in a browser. Enter the username and password mentioned above.

The below screen appears on successfully logging in with an option to choose a jpeg file to upload and a message that only image files are allowed.

Lets see the source code. Click on "View sourcecode".

The code is largely same as it was in the previous level with minor differences. The exif_imagetype() function is used which checks whether an image file is uploaded or not. Since the script that we used in the previous level will not get uploaded this time, we will add "GIF" at the beginning of the script as it will allow the script to get uploaded without being detected as a non-image file.
Type below code in a file and save it on your system-:
GIF<?
echo shell_exec('cat /etc/natas_webpass/natas14');
?>
Similar to the previous level, open the developer tools and then click choose file to select the script file. Update the extension from jpg to php in the developer tools. Now click upload file.

This will display the link to the uploaded file. Click the link to execute the code and we can see the password.

The first three letters are GIF which can be ignored. They are displayed because anything outside the php code tags is echoed back to the server. Therefore, the password starts from the fourth character which is 'q'.

This completes the walkthrough for Level 13 as we have got the password for natas14. Please post your doubts and question in the comment section below and explore other ways to complete this level.