OverTheWire - Natas - Level 8 → Level 9

Warning: This post contains a solution!

Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!

Login using given credentials.

Username: natas9
Password: W0mMxxxxxxxxxxxxxxxxxxxxxxxxxxxx
URL:      http://natas9.natas.labs.overthewire.org

Important code from the site sourcecode:

$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];

if($key != "") {
    passthru("grep -i $key dictionary.txt");

This code is vulnerable to Code Injection. In line 9, the value $key from the formular is directly passed to the PHP passthru() function, which executes an external program - in this case grep - and has no further checks or limitations.

Exploiting this is possible with a pattern like ; cat /etc/natas_webpass/natas10. This will execute grep -i; cat /etc/natas_webpass/natas10 dictionary.txt and return the password for the next level.


Show Comments