OverTheWire Natas Level 8 -> Level 9 - Walkthrough

OverTheWire Natas Solutions

Introduction

In this level, I'll give you a walkthrough to the natas wargame Level 8 -> Level 9. We will use shell injection to clear this level. Some basic Linux command knowledge is required and will be used to inject code and get the password.

Goal

Login to natas9 and get the password for the next level.

Login details

URL - http://natas9.natas.labs.overthewire.org
Username - natas9
Password - Sda6t0vkOPkM8YeOZkAGVhFoaplvlJFd

Theory

shell injection is a technique used by an attacker to execute operating system(OS) commands on a server to compromise the application and its data.

passthru function is a php function that executes an external and displays the raw output. This is an interesting thread on stack overflow that discusses about this command. Please go through it to enhance your knowledge.

To learn about the Linux commands, I would recommend to complete the OverTheWire bandit wargames as they are a good place to start for learning Linux. I have done a walkthrough for bandit wargames, please use them if you require any help to clear any level.

Solution

Open the URL in a browser. Enter the username and password mentioned above.

The below screen appears which displays a box asking for an input and a submit button.

Lets click on the "View sourcecode" to see the code.

The php code declares a key variable and assigns an empty string to it. The first if statement looks for a key "needle" in the request which is the url. It then assigns the key value to the php variable "$key". The second if statement checks if the key variable is an empty string or not. If it is not an empty string then it passes it to the statement "passthru("grep -i $key dictionary.txt")". Here, the grep command will search for the key value in the file dictionary.txt and "-i" makes the search case insensitive.

Whatever we input in the search box gets assigned to the needle key parameter visible in the url and the same gets assigned to the key variable.

We already know that the password is stored in the file /etc/natas_webpass/natas10 and the search box is the only place which can take some input. Therefore, we will enter such Linux command in the search box that will help us exploit the code and get the password from the file.

We will use ";" which is a command separator and will allow us to run two commands on the same line and we will also use "#" which is used to comment out the text that is after it. Using cat command we will open the file and get the password.

Type the command in the search box-:
; cat /etc/natas_webpass/natas10 #

This completes the walkthrough for Level 9 as we have the password for natas10. Please post your doubts and questions in the comment section.