Thursday, November 27, 2014
Natas 26 is a drawing tool that gives you the ability to input X,Y coordinates and see a picture of a line drawn between two points:
Looking at the code, it looks like more PHP code, similar to many of the past levels:
One thing that immediately sticks out is that the filename of the image uses the session ID directly and is clearly injectable:
We can verify the injection like this:
But that alone isn't going to be enough to get the flag for the next level (located in /etc/natas_webpass/natas27).
After browsing the code a little bit more and not seeing anything that stuck out, I started wondering about the Logger class. It doesn't seem to be used anywhere, so it's strange that it's there.
I wondered if there was any way to use it for a while, and then stumbled on this article on OWASP's website: https://www.owasp.org/index.php/PHP_Object_Injection
It looks like their PHP code will unserialize an arbitrary object contained in the "drawing" cookie. Because of this, we can use this by sending it a serialized Logger object with the fields set in such a way that it will create a shell.php script on the server for us.
I wrote a bit of PHP to run locally to create the cookie object we need:
// initialise variables
$this->initMsg="the answer is <? passthru('cat /etc/natas_webpass/natas27'); ?>\n\n";
$this->exitMsg="the answer is <? passthru('cat /etc/natas_webpass/natas27' ); ?>\n";
$this->logFile = "img/shell.php";
$obj = new Logger("hello");
Now, if we override the cookie we receive from the server with this one, we can send the custom Logger object and have the server create the PHP script on the server:
Next time we browse to the site, we can see in the error log that our Logger object was created!
Navigating to img/shell.php will run our PHP script and give us the flag-