{"id":1898,"date":"2016-10-17T15:51:22","date_gmt":"2016-10-17T15:51:22","guid":{"rendered":"https:\/\/www.hackmethod.com\/?p=1898"},"modified":"2018-12-12T16:11:37","modified_gmt":"2018-12-12T16:11:37","slug":"overthewire-natas-9","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/overthewire-natas-9\/","title":{"rendered":"OvertheWire \u2013 Natas 9"},"content":{"rendered":"<div class=\"entry-content\">\n<p class=\"entry-content\"><strong>Recap of Last Lesson:<\/strong> We learned more about encoding in PHP and how to analyze functions.<\/p>\n<p class=\"entry-content\"><a href=\"http:\/\/natas9.natas.labs.overthewire.org\/\"><strong>Natas Level 9<\/strong><\/a><\/p>\n<p class=\"entry-content\"><strong>Objective: <\/strong>Find the password to log into level 10.<\/p>\n<p class=\"entry-content\"><strong>Intel Given<\/strong><\/p>\n<div class=\"entry-content\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>URL: http:\/\/natas9.natas.labs.overthewire.org\/<\/li>\n<li>Source code available<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\n<p><!--more--><\/p>\n<p><strong>How to:<\/strong><\/p>\n<p>Like last time, it appears we have access to the source code of the application. This will almost certainly be interesting to us. Check out the <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2016\/10\/Screen-Shot-2016-10-17-at-8.02.03-AM.png\">source code<\/a> here. Like before, we will look at the source code and look at the relevant PHP. Here is the PHP portion:<br \/>\n<code><br \/>\n$key = \"\";<\/code><\/p>\n<p><code><code><\/code><\/code>if(array_key_exists(&#8220;needle&#8221;, $_REQUEST)) {<br \/>\n$key = $_REQUEST[&#8220;needle&#8221;];<br \/>\n}<\/p>\n<p><code><br \/>\n<\/code><code>    if($key != \"\") {<br \/>\npassthru(\"grep -i $key dictionary.txt\");<br \/>\n}<br \/>\n<\/code><\/p>\n<\/div>\n<div class=\"entry-content\"><\/div>\n<div class=\"entry-content\">So from the top down:<\/div>\n<ul>\n<li class=\"entry-content\">A variable named <strong>$key: <\/strong>this variable is initialized to a blank string.<\/li>\n<li class=\"entry-content\">An if statement that looks for a variable in the request named &#8220;needle&#8221;, and applies the value to the &#8220;key&#8221; variable.<\/li>\n<li class=\"entry-content\">And if statement that performs an action if the key is not an empty string.<\/li>\n<li class=\"entry-content\">the Passthrough function is called.<\/li>\n<\/ul>\n<p>A quick test &#8211; In the search box, search for &#8220;test&#8221;. In the address bar of our web browser, we should now see:<\/p>\n<p>http:\/\/natas9.natas.labs.overthewire.org\/?needle=test&#038;submit=Search<\/p>\n<p>This give us an idea of how the user can pass variables to the server. Notice our search for &#8220;test&#8221; assigned that value to a variable named &#8220;needle&#8221;. Going back to our analysis of of the source code, we know that the value of &#8220;needle&#8221; will be assigned to the &#8220;key&#8221; variable.<\/p>\n<p>With is we can infer that PHP will then execute:<br \/>\n<code><br \/>\npassthru(\"grep -i <strong>test<\/strong> dictionary.txt\");<br \/>\n<\/code><br \/>\nIt&#8217;s important that we understand the passthru function. We can look it up in the <a href=\"http:\/\/php.net\/manual\/en\/function.passthru.php\">PHP documentation<\/a>.<\/p>\n<p>We see that this function is used to execute a command, just as we would on the command line. This can be dangerous. Review the relevant <a href=\"https:\/\/www.owasp.org\/index.php\/Command_Injection\">OWASP wiki<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Code_injection#Shell_injection\">Wikipedia page<\/a> for command injection. On the Wikipedia page, notice the entry for &#8220;sequential execution&#8221;. In bash, we can execute multiple commands on a single line. Lets try it. In the search bar, enter<\/p>\n<pre><code>test; ls\n<\/code><\/pre>\n<p>Notice that instead of returning the output of the search, we instead see the output of the &#8220;ls&#8221; command. Now apply the techniques you learned from <a href=\"https:\/\/www.hackmethod.com\/overthewire-natas-7\/\">Natas level 7<\/a>. By inserting a &#8220;..\/&#8221; we can traverse upward toward the root directory, and navigate ourselves towards the directory which holds the password.<\/p>\n<p>Try this query:<br \/>\ntest; ls ..\/..\/..\/..\/etc\/natas_webpass<\/p>\n<p>If you are not quite sure what is happening, revisit the OWASP documentation for <a href=\"https:\/\/www.owasp.org\/index.php\/Testing_Directory_traversal\/file_include_%28OTG-AUTHZ-001%29\">path traversal<\/a>. Now that we see the password file in the directory listing, we can swap out the &#8220;ls&#8221; command for the &#8220;cat&#8221; command.<\/p>\n<p>Try this query:<br \/>\n;cat ..\/..\/..\/..\/etc\/natas_webpass\/natas10<\/p>\n<p>Success! We have retrieves <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2016\/10\/Screen-Shot-2016-10-17-at-8.44.55-AM.png\">the password<\/a> for Natas 10.<\/p>\n<div class=\"entry-content\">\n<div class=\"entry-content\"><strong>Conclusion: <\/strong>In this lesson we learned of a new attack vector called &#8220;command injection&#8221; or &#8220;code injection&#8221;. We revisited previously learned methods such as path traversal. Passing user defined parameters directly to the command shell is dangerous, and input should always be sanitized if this functionality is needed.<\/div>\n<div class=\"entry-content\">\n<\/div>\n<\/div>\n<p><!--more--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recap of Last Lesson: We learned more about encoding in PHP and how to analyze functions. Natas Level 9 Objective: Find the password to log into level 10. Intel Given URL: http:\/\/natas9.natas.labs.overthewire.org\/ Source code available<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[44,49],"tags":[57,45,50,46],"class_list":["post-1898","post","type-post","status-publish","format-standard","hentry","category-overthewire","category-tutorials","tag-natas","tag-overthewire","tag-tutorial","tag-tutorials"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-uC","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/1898","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=1898"}],"version-history":[{"count":17,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/1898\/revisions"}],"predecessor-version":[{"id":5200,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/1898\/revisions\/5200"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=1898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=1898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=1898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}