Sunday, November 2, 2014
Natas 10 seems to be quite similar to Natas 9, except there's some filtering of what you can pass in as the key.
The filter takes away our ability to pass in multiple shell commands with the ";" character, but we can still do a few things to have the script perform unintended actions.
Like the last one, we want to access the password file stored in /etc/natas_webpass/ (this time /etc/natas_webpass/natas11).
We can "chop off" the dictionary.txt ending by using the comment character (#), and so we'll still be able to have the grep command search through whatever file we'd like.
Trying "a /etc/natas_webpass/natas11 #" will search /etc/natas_webpass/natas11 for the "a" character, but if "a" or "A" isn't present in the file, we'll see nothing in the response...
Is there a way we could guarantee the grep command would find something?
What if we spawn a subshell that prints out the contents of /etc/natas_webpass/natas11 and use that as our key?
Using "$(cat /etc/natas_webpass/natas11) /etc/natas_webpass/natas11 #" yields the command "grep -i $(cat /etc/natas_webpass/natas11) /etc/natas_webpass/natas11 # dictionary.txt"