Login

Username: natas10
Password: nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu
URL: http://natas10.natas.labs.overthewire.org

Solution

Okay, they’re filtering our input. Let’s check the sourcecode to see what’s being filtered.

Well, we have some regex that matches semicolon, vertical bar, and ampersand. So that means we can’t use command chaining, ORing (||) or ANDing (&&).

I have an idea. grep can search multiple files. Why not just add the password file as a second parameter? And we can use to match any character.

So our query will be . /etc/natas_webpass/natas11.

Booyah.