Author: dugisec

Natas Level 15

We have a box here we can use to check whether a username exists or not.  I started out trying some regular inputs like this: Then I tried something more devious, a single quotation mark: We get an error message, but it’s not as specific as the last level.  This

Read More »

Natas Level 14

Just a plain looking login page, lets jump to the source code: So $query is being initialized with unsanitized user input via $_REQUEST[“username”] and $_REQUEST[“password”].  I wonder what would happen if we put a quotation mark(“) in either field?  Let’s try it, we’ll also include “?debug=1” in the URL because

Read More »

Natas Level 13

This is just like level 12 except this time they claim they are checking that the uploaded files are actually images.  If we peek at the source we can see they are using the function exif_imagetype() to do the check.  Here’s the code snippet: According to php.net “exif_imagetype() reads the

Read More »

Natas Level 12

We actually don’t even need to look at the source code to beat this level.  They are allowing us to upload a JPEG up to 1KB in size.  I’m willing to bet that they don’t even check to see if we really are uploading a JPEG.  If I’m right we

Read More »

Natas Level 11

This level has some meat to it so let’s jump right to the source code: We’ll follow the flow of execution and take it (almost) line by line. This creates an array called $defaultdata with two keys “showpassword” and “bgcolor” with values set to “no” and “#ffffff” respectively. This sets

Read More »

Natas Level 10

This level is almost identical to the previous, except for some minor input sanitation.  The script is now checking for the existence of three characters, “;”, “|”, and “&” in the user input.  If they are found we receive an error message.  See for yourself: The great thing about this

Read More »

Natas Level 9

The form’s action is pretty self explanatory, but how does it work? passthru() executes system commands and displays the raw output.  They are grepping for $key in the file “dictionary.txt”.  There does not appear to any input sanitation, and this is good news for us 🙂 If we set $key

Read More »

Natas Level 8

This looks familiar, let’s jump right into the source code here. It looks like we need to submit a string which will be equal to $encodedsecret after going through their encoding scheme which, when broken down looks like this: If you are unfamiliar with any of these functions I encourage

Read More »

Natas Level 7

So we log in to Natas 7 and see two links, let’s click on “home” and check out the page source shall we? There are a couple things to notice here.  After we click on home the address bar in our browser looks like this: http://natas7.natas.labs.overthewire.org/index.php?page=home index.php?page=home means that we

Read More »

Natas Level 6

What’s the secret?  Let’s find out! This time they give us the source code to index.php to look at.  This is because when you right click > view source on a php page in your browser, only the html is visible, and not the php code.  The source looks like

Read More »