Level 15 - Level 16
Overview
This time we got an input field with an link to the source code.
Source Code Analysis
On checking the source code, input keyword/string that we give is directly supplied as a parameter to the grep command, which looks out for matching strings in the dictionary.txt file and returns the output.
This time the $key is enclosed with quotes which means whatever special characters or command we give will be considered as a string. And also this time all types of quotes are also blacklisted.
But still the above code is vulnerable to command injection, since we can use $() to execute shell commands. But we have to create a payload such that we extract data using the grep command, since the input is substituted in a grep command.
Testing Command Injection
We can use grep and regexp and try to match data from /etc/natas_webpass/natas17 and extract the password by brute-forcing. For that first we need a wordlist of alphanumeric characters ( since we know that the password only contains alphanumeric characters ), which can be generated using the following command.
Next for brute-forcing the input, I am using ffuf, since its fast and optimized. But before we start brute-forcing, we need to find a way to filter the response, to check whether the data is matched or not.
To do that, first we have to find a unique word, that is present in the dictionary.txt from which the words are filtered by the application. To do so, I searched for words containing the letter a. It responded me with a list of words that contains the letter a, from which I chose the word Americanisms, as it is not repeated.
Now, whenever we try to grep the character from passwords file, for example we are giving the following input: Americanisms$(grep ^b /etc/natas_webpass/natas), which will respond with the value Americanisms, since the password doesn't start with the character b.
Let's break down the payload: Americanisms$(grep ^b /etc/natas_webpass/natas)
We are using grep to lookout for words starting with b. If our password starts with the letter b, then the grep command will return the password prepended with the word Americanisms ( Americanisms<grep_password> ), but since our input is enclosed within quotes,
the resulting command will be,
where the string Americanisms<grep_password> will be searched in the dictionary.txt, which returns nothing since there is no string word like Americanisms<grep_password> in the dictionary.txt.
But if the password doesn't start with the character b, then the resulting string will be Americanisms, since the result of the grep command will be null as the password doesn't start with the character b, the string Americanisms will be searched in the dictionary.txt, which will return the word Americanisms.
Now we have a way to filter our response, i.e., if our response has the word Americanisms, then our password doesn't starts with the character we tried. If our response doesn't has the word Americanisms, then our password starts with the character we tried. Let's test this using ffuf:
The ffuf command successfully worked, and we have successfully found our first character of the password. To find the next character, we have to append the first character that we found to the payload this time: Americanisms$(grep ^X /etc/natas_webpass/natas).
Now we got our second character.
Getting the Password
To get the third character we have to prepend Xk to the command. This process repeats unitil we find the entire password. So I have created a simple bash script to automate this process:
It's time to run the script:
And finally we got the password for the next level.
Last updated
