 What's up YouTube? This is John Hammond again showing you some more of Natus from over the wire this time level 13 So level 13 it works a lot very very it's very very similar to Natus 12 If you run the same script we've been working with before just a Python script to be able to get the contents at the web page We can view the page here and it says for security reasons We now only accept image files in the upload that that file upload functionality We've been working with in the previous level. So it looks like it has the exact same functionality It just that it says we only accept image files. So let's verify that. Let's take a look at that index source HTML page and see what it is. They really do in the code to Verify that it's a it's an image file that we're uploading not not a PHP script. So Once that's downloaded. Let's go ahead and clean up that All of the the code here looks like we still have that gen random string make random path and make random path from file name functions Looks like the only thing that has really changed here is this big test if the key exists the file name over posting So if we actually upload a file here tests for the file size again tests. Oh here it is here if not X if image type Files uploaded file temp name So if that doesn't return true It explains that the file is not an image. Okay Let's I guess we'll just see what uploading our original function will do if we want I suppose Let's save this and put it in a separate pane so we can look at the source code in a second but I want to run this just to see what happens and In it it says file is not an image. Okay, so whatever it is our PHP script here is not passing that test so Take a look back at the source code The function that we're looking at is X if image type So what I thought this did just kind of looking at it off the top of my head was I thought it was viewing the Content type of the file that we upload because normally it'll pass along Like in in the HTTP post request or whatever that is that you do it'll say like oh image JPEG your image PNG your image Jiff or whatever And that is carried along like with the upload you can actually get in the middle of this in The request module if you wanted to just like with this functionality here And we're looking at in the documentation And you can do that you can make the change in burp suite or whatever you wanted to just change that raw HTTP like communication if you wanted to but When I looked at this function more in-depth it turns out it wasn't doing that I Went ahead and research what is this X if image type really do and it says it reads the first bites of an image and checks its signature so Okay That means that we must have to do something special with our The PHP script or the file that we're trying to upload to Actually get it to get on the box So if we were to run file on what our thing is right now what what the script is or the the file that we want to upload It'll tell us okay reading the first couple bites of this you can tell it's a PHP script but if we wanted to if we will if we wanted the server or the website to Read the first couple bites of an image and check the signature we can't have it Determined that it's a PHP script. We have to make it think that it's something like I don't know a jiff image or jpeg image or a PNG etc etc, etc, so you We and any other Intelligent or people trying to get around these things can make a change to this file that isn't going to be Too detrimental, it'll still operate the same way we would expect it to if we wanted to be running PHP code, but We can include something like a special magic header or the magic bites of a PNG image or a jpeg image or Probably the most easiest use case is a jiff image because a jiff magic header It's just the word jiff and then 89 lowercase a and then if we go back to our command line We can think that file rev shell PHP is actually a jiff image version 89 a and it totally gets the dimensions wrong Which is really really funny, but that's the gimmick. That's the that's the the kind of hack we can do here and Just like that we can trick the web server To thinking that we're uploading a real image now if I post this it says okay cool the file Uploaded this guy has been successfully uploaded So just like that just making that quick change and that and that remote code execution PHP script Just adding that jiff 89 at the very very top the first couple bytes. We should be in Let's go ahead and change that Function call to get with the uploaded file and let's run who am I? Or something make sure we've got it Run this command Our jiff 89 alphas up there, but we also get Natas 13 so we get code execution So let's cat out the password for the next level with our code execution capability Run this and just like that we get the password sweet not a huge change from this level But a really good thing to note just easy jiff 89 alpha or 89 lowercase a Don't know why I'm saying alpha. I'm not a cool Coast Guard kid That will that will work for us. So Let's go ahead and create a new script for Natas 14 Easy we're cruising right along. Thank you guys for watching these hope you're enjoying them If you are please like the video maybe leave me a comment on what you think what else you'd like to see Share this video tell your friends and co-workers and if you're willing to subscribe guys. See you in a later video