Warning: This post contains a solution!

Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!

Login using given credentials.

URL: http://natas9.natas.labs.overthewire.org
Username: natas9
Password: W0mMxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Important code from the site sourcecode:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>

This code is vulnerable to Code Injection . In line 9, the value $key from the formular is directly passed to the PHP passthru() function, which executes an external program - in this case grep - and has no further checks or limitations.

Exploiting this is possible with a pattern like ; cat /etc/natas_webpass/natas10. This will execute grep -i; cat /etc/natas_webpass/natas10 dictionary.txt and return the password for the next level.

References

• https://owasp.org/www-community/attacks/Code_Injection
• https://www.php.net/manual/function.passthru.php