1 minute read Nov 8, 2012
The next level of OverTheWire’s Nata challenge is Level 9. This is a command injection vulnerability. Initially, you are given a search box. Just like in previous levels, I looked at the available source code. You can see the vulnerability is that the user input is not sanitized. Due to this, you can inject code into the “grep” command it is running to do the search. I simply put in the search box, “; cat /etc/natas_webpass/natas10”, since that is where the password file is located.