Natas - Level 14

Connection information

  • Username: natas13
  • Password: jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY
  • URL: http://natas13.natas.labs.overthewire.org

Information given

The white box is composed of four parts:

  1. The first part is a text displaying : ” For security reasons, we now only accept image files!. Choose a JPEG to upload (max 1KB):”
  2. The second part is an buttonh named Browse…
  3. The third is a button named Upload File
  4. The last is a link View sourcecode pointing to http://natas12.natas.labs.overthewire.org/index-source.html

Source code

<?
function genRandomString() {
$length = 10;
$characters = 0123456789abcdefghijklmnopqrstuvwxyz;
$string = ””;
for ($p = 0; $p < $length; $p++) {
$string .= $characters[mt rand(0, strlen($characters)1)];
}
return $string;
}
function makeRandomPath($dir, $ext) {
35do {
$path = $dir./.genRandomString()...$ext;
} while(file exists($path));
return $path;
}
function makeRandomPathFromFilename($dir, $fn) {
$ext = pathinfo($fn, PATHINFO EXTENSION);
return makeRandomPath($dir, $ext);
}
if(array key exists(filename, $ POST)) {
$target path = makeRandomPathFromFilename(upload, $ POST[filename]);
if(filesize($ FILES[uploadedfile][tmp name]) > 1000) {
echo File is too big;
} else if (! exif imagetype($ FILES[uploadedfile][tmp name])) {
echo File is not an image;
} else {
if(move uploaded file($ FILES[uploadedfile][tmp name], $target path)) {
echo The file <a href=\”$target path\”>$target path</a> has been uploaded;
} else{
echo There was an error uploading the file, please try again!;
}
}
} else {
?>
<form enctype=”multipart/form−data” action=”index.php” method=”POST”>
<input type=”hidden” name=”MAX FILE SIZE value=”1000” />
<input type=”hidden” name=”filename” value=<? print genRandomString(); ?>.jpg />
Choose a JPEG to upload (max 1KB):<br/>
<input name=”uploadedfile” type=”file” /><br />
<input type=”submit” value=”Upload File />
</form>
<? } ?>

Getting the password

https://phocean.net/2013/09/29/file-upload-vulnerabilities-appending-php-code-to-an-image.html