OverTheWire – Natas level 13 was not that hard

Leave a reply

hey there,

people learn from their mistakes, so does Natas. They have heard that instead of .jpg we were able to upload any file, so they just made some changes and “improved” their security for this level. have they even heard about magic numbers? today they are gonna do their magic for us.

first just open your terminal and hexdump any .jpg file.  I have just found this cutie in my laptop, so gonna see how .jpg files differ from the other ones.  so, I’m gonna type: xxd -C nameofthephoto.jpg

pay attention to the first bites of the hexdump:ffd8 ffe0 00
these are the magic numbers for .jpg. and they are here for us today. we can convince the server that the file, that we are uploading, is a pure .jpg as it wishes. (ssshhh, don’t tell anyone, we are going to upload a wonderful .php that will lead us to our password)
do you remember the script (natas13.php) that we wrote together for the last level ? bring it back, we need it today as well. you have to make some changes though:

<?php
echo file_get_contents( “/etc/natas_webpass/natas14 “);
?>

and now let’s make a .jpg file just to have the magic numbers in it: 

echo -e “xffxd8xffxe0n” > newfile.jpg

we should merge these two files: 

cat natas13.php >> newfile.jpg

the rest is the same. upload the file, change the name into .php (now you like burp suite more, right?) and enjoy the moment. come back for the next level.

I thought it’s supposed to be easier…

Leave a Reply

Your email address will not be published. Required fields are marked *