Natas - Level 13

2 November 2017

Connection information

Information given

The white box is composed of four parts:

  1. The first part is a text displaying : " Choose a JPEG to upload (max 1KB):"
  2. The second part is an buttonh named Browse...
  3. The third is a button named Upload File
  4. The last is a link View sourcecode pointing to

Source code

function genRandomString() {
  $length = 10;
  $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
  $string = "";
  for ($p = 0; $p < $length; $p++) {
    $string .= $characters[mt rand(0, strlen($characters)1)];
  return $string;

function makeRandomPath($dir, $ext) {
  do {
    $path = $dir."/".genRandomString().".".$ext;
  } while(file exists($path));
  return $path;

function makeRandomPathFromFilename($dir, $fn) {
  $ext = pathinfo($fn, PATHINFO EXTENSION);
  return makeRandomPath($dir, $ext);

if(array key exists("filename", $ POST)) {
    $target path = makeRandomPathFromFilename("upload", $ POST["filename"]);
    if(filesize($ FILES[’uploadedfile’][’tmp name’]) > 1000) {
      echo "File is too big";
    } else {
      if(move uploaded file($ FILES[’uploadedfile’][’tmp name’], $target path)) {
        echo "The file <a href=\"$target path\">$target path</a> has been uploaded";
      } else{
        echo "There was an error uploading the file, please try again!";
} else {bandit25. Please enter the password for user bandit2
  <form enctype="multipart/form−data" action="index.php" method="POST">
  <input type="hidden" name="MAX FILE SIZE" value="1000" />
  <input type="hidden" name="filename" value="<? print genRandomString(); ?>.jpg" />
  Choose a JPEG to upload (max 1KB):<br/>
  <input name="uploadedfile" type="file" /><br />
  <input type="submit" value="Upload File" />
<? } ?>

Getting the password

From the source code, it looks like we should play on the file extension. If we try to upload text.txt, the file will be uploaded to qsd92e.jpg. What we need to do is modify the form before sending it. We can do that with the developer tools of every web browser. Once we do that, we change the filename to what we like, and the file will be uploaded with our filename. From there, we create a .php file with this code:

include "/etc/natas webpass/natas13";

We upload the file a go to the link displayed. Here is what we get: jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY