Natas · OverTheWire

Natas Level 20 → Level 21

Level 20

Username : natas20
Password :eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF
URL : http://natas20.natas.labs.overthewire.org

Solution

To solve this level, we first log into the natas20 application using the credentials provided above.

The application presents us with ” You are logged in as a regular user. Login as an admin to retrieve credentials for natas21.  ” and an input field for a name. Lets try submitting a name and see what happens.

As you can see above, the application saves the name in the backend and displays it every time the page is opened. The name can be changed and the application displays the new name every time the page is refreshed. Let’s look at the source code and create a list of different functions defined in the page.

debug($msg)
print_credentials()
myopen($path, $name)
myclose()
myread($sid)
mywrite($sid, $data)
mydestroy($sid)
mygarbage($t)

As we can see the first function call is made to session_set_save_handler(). This function sets the user-level session storage functions which are used for storing and retrieving data associated with a session. This is most useful when a storage method other than those supplied by PHP sessions is preferred, e.g. storing the session data in a local database. More information on this can be found here.

The next function call is made to session_start(). This function creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.When session_start() is called or when a session auto starts, PHP will call the open and read session save handlers. These will either be a built-in save handler provided by default or by PHP extensions (such as SQLite or Memcached); or can be custom handler as defined by session_set_save_handler(). The read callback will retrieve any existing session data (stored in a special serialized format) and will be unserialized and used to automatically populate the $_SESSION superglobal when the read callback returns the saved session data back to PHP session handling.More information on this can be found here.

Lets send a request to the function with the debug variable set and see how the application responds.

 

As we can see, the application sets a PHPSESSID cookie and the debug statement prints the following ” DEBUG: MYREAD 261he2b5s2rpf3r1mfkct8uf52 DEBUG: Session file doesn’t exist DEBUG: MYWRITE 261he2b5s2rpf3r1mfkct8uf52 DEBUG: Saving in /var/lib/php5/sessions//mysess_261he2b5s2rpf3r1mfkct8uf52″.

Let’s now send a POST request with a name in the request and the debug GET variable set.

 

As we can see the application responds with the following debug statements: ” DEBUG: MYREAD 261he2b5s2rpf3r1mfkct8uf52 DEBUG: Session file doesn’t exist DEBUG: Name set to Harsh DEBUG: MYWRITE 261he2b5s2rpf3r1mfkct8uf52 name|s:5:”Harsh”; DEBUG: Saving in /var/lib/php5/sessions//mysess_261he2b5s2rpf3r1mfkct8uf52 DEBUG: name => Harsh ”

Let’s dive deeper into the mywrite() function.

foreach($_SESSION as $key => $value) 
{
    debug("$key => $value");
    $data .= "$key $value\n";
}
file_put_contents($filename, $data);

As we can see from the above code, the function reads all the key-value pairs from the SESSION variable and stores them in the filename associated with the session. Therefore, if we can inject some data into the session file and then make the application read them, we can hopefully act as an admin user and retrieve the password.

Let’s dive deeper into the myread() function.

$data = file_get_contents($filename);
$_SESSION = array();
foreach(explode("\n", $data) as $line) 
{
    debug("Read [$line]");
    $parts = explode(" ", $line, 2);
    if($parts[0] != "") 
        $_SESSION[$parts[0]] = $parts[1]; 
}

As we can see the myread function merely reads the content of the session file. This session file can be infected with our key-value pairs using the mywrite() function. Lets inject our code ” admin%0Aadmin 1 ” in the name variable. This command would assign the ‘name’ key to the value ‘admin’ and also create another key-value pair with the key as ‘admin’ and value as ‘1’. %0A is the URL encoded value for a newline.

 

As we can see above, the application prints the password for the next level since the admin SESSION variable is set as 1.

Level 21

Username : natas21
Password : IFekPyrQXftziDEsUr3x21sYuahypdgJ
URL : http://natas21.natas.labs.overthewire.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s