Natas10 - Command Injection Part 2

20 Feb 2021 - OverTheWire - Natas

website: http://natas10.natas.labs.overthewire.org/ (password: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu)

In this challenge, some special characters, e.g., ;, the one we used in crack Natas9, are filtered to avoid command injection:

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}

The above change makes our command injection not as easy as the previous one. However, if you are familiar with the usage of grep, you will quickly realize that this command can take multiple file names and thus look for a keyword in multiple files. With that information in mind, I provided the following input . /etc/natas_webpass/natas11 in the textbox. The output of the website given my input is:

    Output:
    /etc/natas_webpass/natas11:U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK
    dictionary.txt:African
    dictionary.txt:Africans
    ... <skip lines below>

As you can see, the grep command has searched the wildcards . in two files, one is my input /etc/natas_webpass/natas11 and the other is the dictionary file.

CONCLUSION

There are different ways to inject commands. Even though you filter out some special characters, you may still leave other security holes accessible. Therefore, avoid using vulnerable functions such as passthru is the ultimate direction we should go.

References

• https://www.owasp.org/index.php/Command_Injection