Python Web Hacking: Remote Code Execution | Natas: OverTheWire (Level 10)

Key Takeaways

what's up everybody John Hammond here back at the nattis war game from over thewire uh just finished up on level 10 now uh was looks to be pretty similar to level 9 uh I went ahead and ran the script um so we can check out the URL what's in the page right here and let's actually view it it says for security reasons we now filter on certain characters uh and let's has another fine words containing a needle and a Hy stack uh same functionality we had seen in the previous level but we can take a look at the s code and see what they're doing since they say they're filtering on certain characters so let's add that to our URL just do the get request on that and as usual this is pretty gross but we can run tidy HTML on it um we can run the HTML de entiti entities and this BR or HTML Break Tag it's kind of annoying we can control h to find replace those V and let's replace them with nothing I'm going to hit control alt and enter here so they all go away cool so we've got the PHP code denoted here um and we can search for a key that's um determined whether or not um we have actually submitted a request or posted to this web page and it's testing that determining whether or not this key exists if needle if that form input was provided and if it doesn't equal an empty string if if it were actually provided from this previous conditional it'll test if prg match um looks like braces of uh Square braces containing a semicolon pipe symbol Amper sand all inside the key um so preg match is um Regular expressions and it's testing is there a match for anything in this regular expression set you can tell it's regular Expressions by the forward slash beginning and ending and in regular Expressions the square brace means anything within this character set so anything like a semicolon pipe symbol or Amper sand in this case will return a match and it's testing on the key that's provided so whatever we actually input and otherwise it will return out it'll display input contains an illegal character otherwise it'll go ahead and run the command like it had in the previous level actually run GP um we can view this in the web page if we wanted to let me fire that up here steal the URL open up Firefox and we are in nattis 10 so let me just copy and paste this password here okay great so if we had anything with a semicolon at the end it'll say oh this input contains an Legal character so we can't use those but that's okay because in the last video for natus 9 um we didn't end up using any of those characters the exploit quote un quote or the technique we ended up using was posting to this page and doing some command injection to say I want to grip for anything with the period because of regular expressions in the file uh the like nattis password file in this case we want nattis 11 now because we're on level 10 we want to advance to the next level and then we use a uh pound symbol or a hashtag to comment out the rest of the line so it didn't actually check out dictionary. text it would just only uh run grep and process through the password file for the next level so since the hashtag or that pound symbol is not in this illegal character list it's not in this regular expression Set uh we can run this exact same thing and we should still be able to you know get the next password so let's run that post command um run that function and let's see what's returned to us go ahead and print the content out I just changed URL to make sure it's actually interacting with the page keep in mind you may have to do that if you forgot to but output here is the password for the next level right that okay we're done awesome because all we did was just that little technique um grap for anything the period here um specify the file that we want ET Rus web pass notus 11 and then comment out the rest because since there wasn't any sanitization or any filtering done to really um what's being input into that GP command or into that like system call that shell command um we were able to just inject just like that same as the last level pretty easy pretty simple really just reusing that same exploit and now we're ready to move on let's go to uh natus 11 create a script for that I'm going to have to replace it because I already had some stuff that I was just experimenting with and now we can check out what this level is this is going to be a pretty big one pretty long video for uh natus 11 um so that's why I wanted to offset with a pretty short video here for natus 10 because it's really the same attack as the nus level 9 UM thanks for watching guys hope you're enjoying these I hope you're enjoying this video um if you do please like the video comment tell me what you think uh what more videos you want to see if you're willing to subscribe and thanks for watching guys hope you're enjoying these see you later