Natas · OverTheWire

Natas Level 18 → Level 19

Level 18

Username : natas18
Password :xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP
URL : http://natas18.natas.labs.overthewire.org

Solution

To solve this level, we first log into the natas18 application using the credentials provided above.

The application presents us with a username and password text field with a statement ” Please login with your admin account to retrieve credentials for natas19.  ” Lets try a random password with the username ‘admin’.

 

As we can see, the application responds with ” You are logged in as a regular user. Login as an admin to retrieve credentials for natas19. “. On checking the Burp logs, we can see that the application sets a cookie ” PHPSESSID ” with a 1-3 digit number (565 in my case) as the value.

Let’s look at the source code to get more information about the application. The following functions are defined in the application:

isValidID($id)
isValidAdminLogin()
createID($user)
debug($msg)
my_session_start()
print_credentials()

The application follows the following calling pattern : my_session_start() -> isValidID() -> print_credentials() and my_session_start() -> isValidID() -> createID() -> print_credentials().

The debug() function is used to print debug information if the GET variable is present. isValidAdminLogin() function seems to be deprecated and not used by the application.

Looking at the application flow, we can see that the application uses a random number (max: 640) and sets that as the cookie. On a new request, the cookie is sent to the application and the application checks whether the cookie belongs to an admin user or not. Since a cookie is used to determine whether the user is admin or not, finding out the cookie associated with the admin user seems to be the easiest way of getting the password for the next level. To solve this level, I am going to make use of Burp Intruder and use different cookie values (max: 640) to find out the cookie associated with the admin user.

 

 

 

As you can see in the results, value: 138 had the admin session flag set to 1 and thus the password is printed.

Level 19

Username : natas19
Password : 4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs
URL : http://natas19.natas.labs.overthewire.org

One thought on “Natas Level 18 → Level 19

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s