Natas26
Website URL: http://overthewire.org/wargames/natas/natas26.html
According to the data on the OverTheWire webpage.
Username: natas26
URL: http://natas26.natas.labs.overthewire.orgLet’s log into the URL for Natas25
Looking at the source:
The code seems to indicate that the page loads a file based on the GET request’s lang parameters. The first thing that should strike is the directory traversal attack. However, the script filters our ‘../’ if it exists in the string. To bypass it by nesting the characters.
http://natas25.natas.labs.overthewire.org/?lang=..././
So, we get one point of entry, i.e. the directory traversal. However, we cannot read the password file directly, as that has been filtered out. Let’s revisit the source once more and see what we can leverage.
In the logRequest function, notice that the “User-Agent” is being written into the log file. Let’s see if we can open the log file by modifying the URL and the PHPSESSID.
As you can see, HTTP User Agent from the header is being recorded in the log file. If we modify the User-Agent header, we can possibly inject code to read the password file and place it in the log.
Now, the User Agent is being appended to a string. So we need to modify UserAgent in such a way that the contents of our target file are obtained and appended to the string. One way to do it is via file_get_contents() function. Accordingly, the payload will be:
<?php echo file_get_contents('/etc/natas_webpass/natas26')?>
Done!
Password for next level: oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T