 What's up, everybody? John Hammond here, back at the Natus War game from Over the Wire. Just finished up on level 10 now, looks to be pretty similar to level 9. I went ahead and ran the script so we can check out the URL, what's in the page right here, and let's actually view it. It says, for security reasons, we now filter on certain characters. And let's have another fine words containing a needle and a haystack. Same functionality we had seen in the previous level. But we can take a look at the source code and see what they're doing since they say they're filtering on certain characters. So let's add that to our URL, just do the get request on that. And as usual, this is pretty gross, but we can run tidy HTML on it. We can run the HTML de-entitized entities and this BR or HTML break tag. It's kind of annoying. We can control H to find replace those BR and let's replace them with nothing. I'm going to hit control alt and enter here so they all go away. Cool. So we've got the PHP code denoted here. And we can search for a key that's determined whether or not we have actually submitted a request or posted to this web page. And it's testing that, determining whether or not this key exists, if needle, if that form input was provided. And if it doesn't equal an empty string, if it were actually provided from this previous conditional, it'll test if preg match looks like braces of square braces containing a semi colon pipe symbol ampersand all inside the key. So preg match is regular expressions and it's testing. Is there a match for anything in this regular expression set? You can tell it's regular expressions by the forward slash beginning and ending. And in regular expressions, the square brace means anything within this character set. So anything like a semi colon pipe symbol or ampersand in this case will return a match. And it's testing on the key that's provided. So whatever we actually input and otherwise it will return out. It'll display input contains an illegal character. Otherwise, it'll go ahead and run the command like it had in the previous level actually run grep. We can view this in the web page if we wanted to. Let me fire that up here. Steal the URL, open up Firefox and we are in Natus 10. So let me just copy and paste this password here. Okay, great. So if we had anything with a semi colon at the end, it'll say, Oh, this input contains an illegal character. So we can't use those. But that's okay because in the last video for Natus 9, we didn't end up using any of those characters. The exploit quote unquote or the technique we ended up using was posting to this page and doing some command injection to say, I want to grip for anything with the period because of regular expressions in the file. The like Natus password file. In this case, we will want Natus 11 now because we're on level 10. We want to advance to the next level. And then we use a pound symbol or a hashtag to comment out the rest of the line. So it didn't actually check out dictionary.text. It would just only run grep and process through the password file for the next level. So since the hashtag or that pound symbol is not in this illegal character list, it's not in this regular expression set, we can run this exact same thing and we should still be able to get the next password. So let's run that post command, run that function, and let's see what's returned to us. Go ahead and print the content out. I just changed the URL to make sure it's actually interacting with the page. Keep in mind, you may have to do that if you forgot to, but output. Here is the password for the next level, right? Okay, we're done. Awesome. Because all we did was just that little technique. Grep for anything, the period here, specify the file that we want, etc. Natus webpass, Natus 11, and then comment out the rest. Because since there wasn't any sanitization or any filtering done to really what's being input into that grep command or into that system call, that shell command, we were able to just inject just like that. Same as the last level. Pretty easy, pretty simple. Really just reusing that same exploit. And now we're ready to move on. Let's go to Natus 11. Create a script for that. I'm going to have to replace it because I already had some stuff that I was just experimenting with. And now we can check out what this level is. This is going to be a pretty big one, pretty long video for Natus 11. So that's why I wanted to offset it with a pretty short video here for Natus 10 because it's really the same attack as the Natus level nine. Thanks for watching, guys. Hope you're enjoying these. I hope you're enjoying this video. If you do, please like the video, comment, tell me what you think. What more videos you want to see if you're willing to subscribe. And thanks for watching, guys. Hope you're enjoying these. See you later.