 What's up YouTube? This is John Hammond looking again at the natus wargame from over the wire. Now we're on level 16 So in the last video we did a little blind sequel attack and that required a little bit of a Python loop that we were working with So I'm going to clean up some of that code And now we've got just a basic script where we can get the page of this level here. So set the syntax to HTML Or PHP either one really okay cool. So now we've got that color here We can read this page for security reasons We now filter even more on certain characters and this has the form with the fine words containing and the needle That we're searching for okay, so this in the output here with the pre-formatted text This looks like the same kind of grepping through a dictionary file Level that we've seen in in kind of previous renditions here. So let's see what they've done to actually make this a little bit different Let's view that source code De-entitize this and looks like the line breaks aren't coming through So we'll just take all those HTML break tags and replace them with new line characters Okay, so now I've got the PHP code visible in between these pre tags here You can see the question mark and greater than less than symbols to note the PHP code So we've got a key variable originally set to nothing But we test if we actually send a request where needle comes through We use that as the form And we're determining okay if key isn't set to nothing if it's actually if it actually has value we'll do regular expressions match against it Anything in this set it looks like Intel the set because of the opening close to square braces so black listing the characters of a semi colon pipe symbol ampersand back tick a single quote and double quote And if any of those characters do exist in there all it does is print input contains legal character If it passes that check it'll go ahead and run the command. It'll run the system shell command grep tack i The key argument against the dictionary dot text But this time the level is a little bit different because the key argument is passed in double quotes So it is isolated as its own argument. We can't get around that like we had in some of the previous levels But it's still running a shell command. It's still running a system command. So let's see if we can find some Technique that'll let us take advantage of this vulnerability here I'm noticing we can't get around it with the double quotes or the single quotes the back ticks kind of ruin our luck for command substitution But not entirely Some of you that may have seen some of my other videos from the Leviathan videos in over the wire Um, I've tried originally trying to do some command substitution with back ticks And then I was informed that hey, that's a deprecated and stupid way to do it. Oh, I posted that to the source code Let's move that Go back to the original page And okay with the back ticks obviously we do not pass that blacklist So we got to figure out something else We can do command substitution with the different style syntax with the dollar sign and the parentheses Now we can run commands like ls or who am I or view the password, etc The issue is Since this is command substitution We don't actually get any output Well, I guess we get output, but it's going to be replaced in line of that command that grep command So it's trying to grep for The result of who am I here natus 16 in the dictionary dot text file Obviously, there aren't any lines that match natus 16. So we're not getting out any output. That's curious, right? Because we don't get the output of the command, but we can determine whether or not something Is visible or present in a dictionary dot text file Doesn't help us or like kind of at the surface level But thinking off the heels of that last video where we did a blind sequel injection We figured out the existence of a user or whether or not a user doesn't exist to leak out a password to leak out data so In this level we can figure out whether or not something Exists in the dictionary dot text file or if it doesn't And we have the potential to Get the password in our query Because we could just you know cat etc like natus webpass natus 17 And if we were to run this obviously we're not going to get any output from the dictionary dot text file because it can't find that string in The dictionary dot text file. So what if we would only get a part of the password out? What if we were to just grep for Like the letter a in the password Well, whether or not that got a result. We don't know Okay, we got something here Let's do this in the console so we can get the results Okay, it looked like it didn't return any string because we grepped an empty string and everything returned for us So let's try something like b does be exist in the password Okay, so because b does exist in the password that grep command that we saw in the php code Is filled in with the actual password natus 17 password as an argument And it obviously can't find that in dictionary dot text. So we don't see any output here Now let's do something clever because Let's put in something some data like default data that we would expect to get a return get a response From dictionary dot tech like the word anything right Looks like we get anything and anything's let's Change our script to any things so we have an easy one result if If it matches so any things is in there But now we can run a test just like we've been doing before With our command substitution grep for a in et cetera natus webpass natus 17 That We saw earlier that it doesn't have the letter a in the natus 17 password So any things will remain the only argument we pass to it But if we grep for b where b is present in natus 17 Now we're going to be searching for any things and then blah blah blah blah blah whatever the password may be And that's not present in Dictionary dot text obviously So now we've got that trigger a yes or no kind of dichotomy that'll help us figure out Is this character in the password or not, but we need to leak out Everything in the password we need to leak out character by character. So how are we going to do that? Well, we can still use that grep magic to our advantage because let's say Greps using regular expressions So if we use a special regular expression character like the carrot that means the start of the string or the very very first character following this So if b is the first character We will not get any results from our output, but because we do get results anything has come through Okay, b is not the first character. That's what we can decipher from that But we know b was in there. So we know our commands are going through now We just have to figure out which of these is the first character Now we have to loop through all those characters just like we've been doing in the previous video So let's get set up with all of those Um Printable characters we had characters equal to lowercase and uppercase and digits Because we know that that is what makes up the password here for over the wire levels Let's set up a while loop and now we know the condition that we can use because this password that we're using is going to be 32 characters in length. Um, so let's get a scene password variable that we'll use as a list And while the length of scene password is less than 32 We can keep looping and we'll do for each character In all the possible characters Let's try and figure out what the response might be And let's add in what we've seen of the password join together Because it's a list so we want that to be a string and the current character we're looking at Great. So now let's test what is actually being returned to us. Let's try re.findall Um Get the pre tags. There's a new line following it and um dot star anything A new line and pre Let's see now we'll let We want content here. So let's print out that and let's see if we get results Anything's anything's anything's anything anything anything et cetera et cetera et cetera But one of these should return nothing for us At some point, right? Uh, I should have Noted the character that we're on. Oh, okay. We see the trigger. We see the hit Right there So whatever that was Well, it's not a thing So we can check we can check if returned We can check let's say a variable name return. So if returned So if that list actually has content then print This is not The first character And we'll just print out the character from that and if it Didn't get anything returned and then we know this This is the first character Sure, and then let's just try that to see how it looks Looping through every single character blah, blah, blah, blah, blah This is going to take a little bit of time obviously because we're brute forcing But that's the methodology that we're going to go for blind leaking And we get a hit at eight. Okay So Now we can use the same functionality we had before If not returned When we get a success what we can do is we can add that character to the scene password So it will become part of what we're looping through And then let's break out of this Original for loop. So we start again going through the alphabet And if we do get it, let's print out join of scene password So now very very slowly Let's print out what we're trying Yeah, let's actually just print out what we send it and we don't need this one down here Now we can see it trying to leak this out And because we're using that grep regular expressions the carrot to denote the start of the password We'll be able to say okay that number eight is the first character And we'll loop through more and more and more until we get the next character in the password And then the next character because it's still adding on to that list that we're seeing and combining it as a string So this is going to take a little bit of time But at the very end we're going to have the natus level 17 password just leaked out Using that nifty trick of the command substitution with grep regular expression carrot And determining whether or not we actually get a result out of the dictionary dot text file Let's let this run All right, looks like the script finished looks like we have a password and now let's try it for Natus level 17 response dot text Save this as natus 17 Natus 17 paste See if we get a result And we do we're at natus level 17. Awesome. Okay, that's it. That's all the technique we needed to do Thank you guys so much for watching. Hope you're enjoying these If you do like the video, please do that like the video Maybe leave me a comment tell me and let me know what you think what I can do better What else you'd like to see if you're willing to subscribe and if you uh, thanks again guys, I'll see you in a later video