We covered OverTheWire Natas Level 16 CTF where we went over a blind SQL injection scenario that uses command substitution to bypass character filters. The character filters used preg_match function in PHP to create a blacklist of characters commonly used in SQL Injection. This was part of OverTheWire War Games Natas Level 16
Understanding the Challenge
The application filters out common SQL injection characters like double quotes, single quotes, backslashes, and pipe characters. However, the percent sign (%
) and dollar sign ($
) are not filtered. The application uses a pass_thru
function that executes grep
on user input against a dictionary file (dictionary.text
). If there’s a match, it displays output; otherwise, it doesn’t. My goal is to extract the password for Natas level 17, which is stored in the file /etc/natas_webpass/natas17
.
Exploiting Command Substitution
I realized I could use command substitution, which involves using $(command)
syntax. The output of the command
replaces the command itself.
Formulating the Attack
I used grep
within the command substitution to check for characters in the natas17
password file. For example, to check if the letter ‘a’ exists: $(grep a /etc/natas_webpass/natas17)
. The logic of the application is a bit counter-intuitive here:
- If a character exists in the password file (meaning
grep
finds a match and returns output), the web application will not show any output in the browser. - If a character does not exist (meaning
grep
finds no match and returns no output), the web application will show output (words fromdictionary.text
).
Scripting the Solution
I adapted a Python script from the previous challenge to automate the process. The script defines the URL, credentials, and a string of possible characters for the password. It uses nested loops:
- The outer loop iterates 34 times (assuming the password length is 34 characters).
- The inner loop iterates through each character in the defined character set.
Inside the loops, it constructs a URL with the command substitution. The grep
command uses a regular expression ^
to check if the character (or sequence of characters found so far) is at the beginning of the password in the natas17
file. The script checks if the word “testing” is present in the response.
- If “testing” is not present, it means
grep
returned an output (the password segment), which then became part of the URL. This indicates the tested character is correct, and it’s added to thepassword
array. - If “testing” is present, it means
grep
returned no output, so the character is not part of the password.
Executing and Retrieving the Password
Running the script iterates through characters, building the password piece by piece. Once the script finishes, it reveals the full password for Natas 17.
Technical Commands
While the video focuses on the logic and the Python script, the core command being exploited through substitution is grep
. Here’s an example of how it’s used conceptually within the script’s logic:
grep a /etc/natas_webpass/natas17
(This is the conceptual command; the script builds this dynamically within the URL).- The script also uses
touch test
and implies opening it with a text editor, but this is for demonstration purposes and not part of the core attack.
Natas Level 16 Password:
TRD7iZrd5gATjj9OkPEuaOlfEjHqj32V
Video Walkthrough