 What's up guys John Hammond here coming back at you with another video for the Natus wargame from over the wire So we just got the password for level 9 and we've got a script that will get the web page content for us so we don't have to use a web browser and This one looks like it's saying alright Natus 9. Here's a form. You can find words containing And inputs just regular text variable. It looks like with the variable name needle and It looks like it'll search for us the output is displayed in pre-formatted text and we could probably see that in the web browser If we really wanted to let's do that just so you get an idea of what this level looks like Natus 9 Natus 9 and You can see there isn't their option here to view source code. So we can check that out Index source at HTML. Yep. That was the name of the file And we can do that in our Sublime text stuff if we really wanted to we could decode that if we wanted to or we can just view it in the web browser So it'll handle that a little bit nicely. Okay, so looks like PHP code the Notes here with the variables with a dollar sign and all key is Apparently set to whatever we post to or whatever is requested once we communicate with the server And if key is not an empty string it will pass through What is that looks like a function a pass through I'll check that out and it's oh it looks like it might be running a Command here grep. So like we've kind of done in the command line with a bash shell grep Whatever we pass to it nice Key in dictionary dot text dictionary dot text must be A word that's trying to our dictionary that it's looking through. What is the PHP pass-through function? Is it literally just gonna run a command for us? Yes, it will totally just execute commands and display output Okay, so we could potentially have remote code execution here And we can totally get in the way of it because we're just passing in raw arguments to this thing So if we wanted to find words that say like Find words containing app Okay, all of these things in dictionary dot text Apple obviously, right? What's et cetera so? We can put more in here like How about a period So grep will use the regular expressions here and that will return a period from Period will match everything just like regular expressions will match any character so it returned the entire dictionary dot text file but Since we're supplying this as an argument that you can see went through without any Like quotes are surrounding it to specify that that is a single argument We could bleed into other arguments here and specify other files that we want to read or change up how this command works Let's take a look and I let's do that in our shell here or our Sublime text script Needle can be app to see if we get responses Let's run this we don't want to go to index source anymore I want to be posting it to the actual page and we're getting all of this output so can we Return anything with the period Huh Okay, it must be getting some strange characters out so let's go a let's just app Huh Okay, maybe some maybe some strange characters are in this dictionary that Python does not want to render for us. We can change the encoding here coding equals utf 8 That's the magic magic Python syntax to suddenly be okay with unit code characters. Will that work for us? No, okay Man, that's super annoying Let's do this with a browser then I suppose At least let's figure out our attack Let's say we can actually return anything and if we had a space in between this we can actually ask for another File that we want to look through I think right let's go to Natas pass and we want Natas 10, right? search Looks like it returns from the file that things matched in But the Natas password file Should get a result. It should have matched at some point. Let's check out. Let's control F for it Natas 9 Natas 10 no luck Huh was it in etc? Is it just going to display anything for us? That's not dictionary dot text Doesn't look like there's any other notion of Natas. No So maybe that didn't work. Okay. Well, we still have command execution, right? Can we do Period or like anything From nowhere Yep, nothing nothing from nowhere and Use a comment to end the end what we're in and the rest of the line here So it doesn't put in that dictionary dot text for us, but we use a semicolon to note a new command, right? Okay, cool. So we've got command injection just like that. So now we should just be able to cat Natas pass Natas 10 is that not the is that not the right location? Over the wire. Whoa what the heck over the wire dot log over the wild at org. What am I doing? Natas Etc Natas web pass. Oh, I'm a fool So the old attack probably would have worked just fine Natas web pass Natas 10 Yeah, oh geez it totally would have worked just fine except I'm an idiot. I'm sorry. I didn't even realize that path guys I thought it was the same syntax as the other wargames. Well, hey, okay. That's done for us, right? There's the attack We can return anything And let's just get something that we know is In here Actually, no, we can just say anything and then we can still use a comment to not include it the Not include the dictionary dot text file Natas web pass Natas 10 and Use the hashtag here. So we won't return the Rest of the responses from the dictionary text file. We commented out the rest of that command here so now we've got our password loaded or displayed out to us and let's use our regular expressions here to carve it out Just like that we get our password and we are good to go. So Natas 9 is done. We can put this in the script for Natas 10 and Just like that. We are ready to move on So I hope you guys I hope that made sense a little bit of command injection because that that code was just being passed through To a real command like a bash shell and executing it and we can just kind of wrap around the arguments or do some unique things with it and we can load Content from other files because that's the way grep works and we can use other bash syntax stuff like comments or Other commands with the semicolon to do other interesting things. So Cool hack cool vulnerability there and that's a real thing command injection is for sure a real problem in web security stuff So, okay now they filter on certain certain characters, huh? Let's get started on that in the next video guys Thank you guys for watching. Hope you're enjoying these