Natas14
Website URL: http://overthewire.org/wargames/natas/natas14.html
According to the data on the OverTheWire webpage.
Username: natas14
URL: http://natas14.natas.labs.overthewire.orgLet’s log into the URL for Natas13
Looking at the source code:
This script seems to be of the same kind as the last time, except for the fact that this time, there is an additional check for the file to be of the image type.Trying to upload anything other than an image file seems to give us an error.
Let’s think a bit about how we can circumvent that…
Note that the checking is being done by exif_imagetype() function. Reading a bit more about this function reveals that this function checks the first bytes of the image and determines its signature.
So, if we have a file of arbitrary type, and keep it’s first few bytes similar to that of an image, we can fool this function into believing that the file is an image. A good payload for this can be made by taking an image and appending the same PHP payload used in the previous level at the end of the image. The file then can be uploaded and the request intercepted via Burp Suite to modify the file extension.
This should give us a successful upload of a PHP file on the server.
Subsequent steps remain the same, viz. navigate to the file and pass a shell command through the URL using cmd parameter of a GET request.
http://natas13.natas.labs.overthewire.org/upload/vb6xc4rgyv.php?cmd=cat%20/etc/natas_webpass/natas14
Done!
Password for next level: Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1