Sunday, November 2, 2014

Natas 13

Natas 13 looks similar to Natas 12, except some additional security checks have been put in place-- it now "only accepts image files":

 Taking a look at the source code, it looks like it does the check with a call to exif_imagetype().

 Interestingly, this exif_imagetype() works by looking at the beginning of the file. Since we're still able to set the extension to ".php" like before, if we can get a PHP script that passes this check, we'll get arbitrary code execution like before.

 If we take a very small image file and append our shell from before to the end of it, will it work?

It looks like it does!

Sending the above request lets us use the same idea from Natas 12 to have the server print out the password from /etc/natas_webpass/natas14:

As you might expect, you have to ignore the part before "code:" (that's the image we used to start with!)

No comments:

Post a Comment