We covered OverTheWire Natas Level 16 CTF where we went over a blind SQL injection scenario that uses command substitution to bypass character filters. The character filters used preg_match function in PHP to create a blacklist of characters commonly used in SQL Injection. This was part of OverTheWire War Games Natas Level 16

Understanding the Challenge

The application filters out common SQL injection characters like double quotes, single quotes, backslashes, and pipe characters. However, the percent sign (%) and dollar sign ($) are not filtered. The application uses a pass_thru function that executes grep on user input against a dictionary file (dictionary.text). If there’s a match, it displays output; otherwise, it doesn’t. My goal is to extract the password for Natas level 17, which is stored in the file /etc/natas_webpass/natas17.

Exploiting Command Substitution

I realized I could use command substitution, which involves using $(command) syntax. The output of the command replaces the command itself.

Formulating the Attack

I used grep within the command substitution to check for characters in the natas17 password file. For example, to check if the letter ‘a’ exists: $(grep a /etc/natas_webpass/natas17). The logic of the application is a bit counter-intuitive here:

  • If a character exists in the password file (meaning grep finds a match and returns output), the web application will not show any output in the browser.
  • If a character does not exist (meaning grep finds no match and returns no output), the web application will show output (words from dictionary.text).

Scripting the Solution

I adapted a Python script from the previous challenge to automate the process. The script defines the URL, credentials, and a string of possible characters for the password. It uses nested loops:

  • The outer loop iterates 34 times (assuming the password length is 34 characters).
  • The inner loop iterates through each character in the defined character set.

Inside the loops, it constructs a URL with the command substitution. The grep command uses a regular expression ^ to check if the character (or sequence of characters found so far) is at the beginning of the password in the natas17 file. The script checks if the word “testing” is present in the response.

  • If “testing” is not present, it means grep returned an output (the password segment), which then became part of the URL. This indicates the tested character is correct, and it’s added to the password array.
  • If “testing” is present, it means grep returned no output, so the character is not part of the password.

Executing and Retrieving the Password

Running the script iterates through characters, building the password piece by piece. Once the script finishes, it reveals the full password for Natas 17.

Technical Commands

While the video focuses on the logic and the Python script, the core command being exploited through substitution is grep. Here’s an example of how it’s used conceptually within the script’s logic:

  • grep a /etc/natas_webpass/natas17 (This is the conceptual command; the script builds this dynamically within the URL).
  • The script also uses touch test and implies opening it with a text editor, but this is for demonstration purposes and not part of the core attack.

Natas Level 16 Password:

TRD7iZrd5gATjj9OkPEuaOlfEjHqj32V

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles