OverTheWire - Natas - Level 8 → Level 9
Warning: This post contains a solution!
Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!
Login using given credentials.
Important code from the site sourcecode:
This code is vulnerable to Code Injection. In line 9, the value
$key from the formular is directly passed to the PHP
passthru() function, which executes an external program - in this case
grep - and has no further checks or limitations.
Exploiting this is possible with a pattern like
; cat /etc/natas_webpass/natas10. This will execute
grep -i; cat /etc/natas_webpass/natas10 dictionary.txt and return the password for the next level.