Level 18 Username : natas18 Password :xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP URL : http://natas18.natas.labs.overthewire.org
To solve this level, we first log into the natas18 application using the credentials provided above.
The application presents us with a username and password text field with a statement ” Please login with your admin account to retrieve credentials for natas19. ” Lets try a random password with the username ‘admin’.
As we can see, the application responds with ” You are logged in as a regular user. Login as an admin to retrieve credentials for natas19. “. On checking the Burp logs, we can see that the application sets a cookie ” PHPSESSID ” with a 1-3 digit number (565 in my case) as the value.
Let’s look at the source code to get more information about the application. The following functions are defined in the application:
isValidID($id) isValidAdminLogin() createID($user) debug($msg) my_session_start() print_credentials()
The application follows the following calling pattern : my_session_start() -> isValidID() -> print_credentials() and my_session_start() -> isValidID() -> createID() -> print_credentials().
The debug() function is used to print debug information if the GET variable is present. isValidAdminLogin() function seems to be deprecated and not used by the application.
Looking at the application flow, we can see that the application uses a random number (max: 640) and sets that as the cookie. On a new request, the cookie is sent to the application and the application checks whether the cookie belongs to an admin user or not. Since a cookie is used to determine whether the user is admin or not, finding out the cookie associated with the admin user seems to be the easiest way of getting the password for the next level. To solve this level, I am going to make use of Burp Intruder and use different cookie values (max: 640) to find out the cookie associated with the admin user.
As you can see in the results, value: 138 had the admin session flag set to 1 and thus the password is printed.
Level 19 Username : natas19 Password : 4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs URL : http://natas19.natas.labs.overthewire.org