OverTheWire Natas Level 9 -> Level 10 - Walkthrough

OverTheWire Natas Solutions

Introduction

In this level, I'll give you a walkthrough to the natas wargame Level 9 -> Level 10. We will use the same shell injection technique as used in last level to clear this level. Using php regular expression, certain characters are forbidden from being entered.

Goal

Login to natas10 and get the password for the next level.

Login details

URL - http://natas10.natas.labs.overthewire.org
Username - natas10
Password - D44EcsFkLxPIkAAKLosx8z3hxX1Z4MCE

Theory

Regular Expressions are special sequence of characters which are used to find and replace the specific patterns in string. Brackets are used to define a range of characters from which the characters are matched to be present or not in the given string. eg - [qwert] - it checks for any character present in the string from the options within the brackets.

Similarly, there are meta characters that have special meaning. eg - | - It finds a match for any one of the patterns separated by the symbol | like in "apple|orange|mango". There are other metacharacters as well. Please explore more and read about them.

preg_match() function in php finds whether a match for the specified pattern is present in the string or not. It returns true if the pattern is present otherwise returns false.

Solution

Open the URL in a browser. Enter the username and password mentioned above.

The below screen appears which displays a box asking for an input and a submit button. It also displays the message that now filtering is on for certain characters.

Lets click on the "View sourcecode" to see the code.

When compared to the code in the last level, it is very much similar with an extra line of code to sanitize user input. The line "if(preg_match('/[;|&]/',$key))" checks whether ";" or "&" are used in the input or not and if it is there then the function preg_match() returns true which prints the message inside this if statement. However, the way key variable stores the value is still not changed and we can exploit it.
Enter the command ".* /etc/natas_webpass/natas11 #" and click search.
"." represents the current directory. "*" denotes all the files in the current directory. So the grep command will be like "grep -i .* /etc/natas_webpass/natas11 # dictionary.txt".

We can see few outputs along with the natas11 password. We can ignore the other outputs as they are not important for this level.
This completes the walkthrough for natas Level 10 wargame. Please post your questions and doubts in the comment section.