Skip to main content

OverTheWire Natas 9

OverTheWire Natas 9

In mean time waiting for an important result, let me go with  Natas 9 and Natas 10.
The reason I group 2 levels in one post is that Natas 10 is upgraded version of Natas 9 ( there is a more upgraded version that is Natas 16 but i won’t spoil the fun now  ).
Less talk, grab password from previous level and login. We greeted with a words search form. There is the source code :
<html>
<head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head>
<body>
<h1>natas9</h1>
<div id="content">
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>

Output:
<pre>
<?
$key="";

if(array_key_exists("needle",$_REQUEST)){
    $key=$_REQUEST["needle"];
}

if($key!=""){
    passthru("grep -i $key dictionary.txt");
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
This code takes word that is inserted in search form an search for it in dictionary.txt by using popular Linux tool grep. Don’t know what grep is ?. Read its manual here : http://linux.die.net/man/1/grepFunction passthru of PHP can be considered as a Linux shell that allow us to executes Linux command. -i switch is simply –ignore-case  in search pattern.
OK, let play a bit. Search for hacker, it will output :
hacker
hacker's
hackers
The full command will be :
grep -i hacker dictionary.txt
This code simple concat $key to predefined command, so we have full control in what ever we can insert. Some more information about some special symbols used in shell comand and script : (Full at here http://tldp.org/LDP/abs/html/special-chars.html)
command separator, allow 2 command in one line
# comment, the following command after this symbols will be commented.
. match any type character (regular expression)
* match one or more characters before (regular expression)
So, by using ; we can insert one (or more) arbitray command and by using #, we can comment dictionary.txt  out. We already knew that password for Natas 10 is stored at /etc/natas_webpass/natas10 . Finally, we come up with search word : ; cat /etc/natas_webpass/natas10 # . In this case our command will become:
grep -i ; cat /etc/natas_webpass/natas10 # dictionary.txt
which equivalent to output the content of /etc/natas_webpass/natas10 (cat /etc/natas_webpass/natas10) .  And the result :
s09byvi8880wqhbnonMFMW8byCojm8eA

Comments

Popular posts from this blog

Wordpress hacking - How to install / run wpscan on windows xp / windows 7 / windows 10

HOW TO RUN WPSCAN ON WINDOWS Byrockstardevil Requirements: rubyinstaller Development Kit for rubyinstaller curl DLL for windows : libcurl.dll 1 - install rubyinstaller you must have Ruby 2.2.3 version . download links here : http://rubyinstaller.org/downloads/ for more info : https://github.com/oneclick/rubyinstaller/wiki 2 - install Development Kit for rubyinstaller download link : http://rubyinstaller.org/downloads/ how to install : https://github.com/oneclick/rubyinstaller/wiki/Development-Kit if you face that problem  "unknown encoding name -  (ArgumentError)" just type "chcp 1252" in cmd and hit enter 3 - install libcurl.dll A - Download libcurl.dll from : http://www.confusedbycode.com/curl/ B - copy libcurl.dll copy  libcurl.dll into ruby bin folder or wpscan folder and make sure to add it to your PATH. I also added .DLL to PATHEXT ex : C:\Ruby21-x64\bin\ you can visit : http://www.computerhope.com/issues/ch000549.htm to know to set the p

How To Generate Random IP Address Using JAVA ?

Today I'll Show You How To Generate Random IP Address... But First Why I Want This...Right...? Ans : If You Want Test Your Code That Whether It Is Recognizing The Machine By It’s IP Address Then You Had To Use This Code To Generate Random IP Address. So Here We Goooo.... private String generateIPAddress ( int p1 , int p2 , int p3 ) { StringBuilder sb = null ; Random r1 = new Random (); Random r2 = new Random (); Random r3 = new Random (); Random r4 = new Random (); String ip1 = Integer . toString ( b1 ); String ip2 = Integer . toString ( b2 ); String ip3 = Integer . toString ( b3 ); String ip4 = Integer . toString ( b4 ); String b1 = IpConverter . longToIp ( r1 . nextLong ()); String b2 = IpConverter . longToIp ( r2 . nextLong ()); String b3 = IpConverter . longToIp ( r3 . nextLong ()); String b4 = IpConverter . longToIp ( r4 . nextLong ()); //Now the I

3 Ways to Root Android 7.0 Nougat on Nexus Running Official AOSP [Update: Root Android 7.1]

3 Ways to Root Android 7.0 Nougat on Nexus Running Official AOSP [Update: Root Android 7.1] If you own a Nexus phone then chances are you have already updated your device with the latest official Android 7.0 Nougat firmware. This brings the newer firmware build number NRD90M to the Nexus range including the Nexus 5X, 6P, 9, 6, Nexus Player, and the Pixel C. Unfortunately, Nexus 5 and 7 were left behind. This has been a game-changing week for the Android community as you can now expect the new software for your Android device soon enough. It may either come officially from a manufacturer or unofficially from developers like CyanogenMod. Just like we saw the unofficial support for the  Nexus 5 and the Nexus 7  today. As the new AOSP source code is now available to developers, soon you may find Cyanogen 14 based custom ROMS releasing for several devices. Hence, to be ready, you may need to be rooted and also setup a custom recovery like TWRP on your device. So that once the CM 14 bas