Natas · OverTheWire

Natas Level 21 → Level 22

Level 21

Username : natas21
Password :IFekPyrQXftziDEsUr3x21sYuahypdgJ
URL : http://natas21.natas.labs.overthewire.org

Solution

To solve this level, we first log into the natas21 application using the credentials provided above.

The application displays a similar message as the one it displayed in the last round ” You are logged in as a regular user. Login as an admin to retrieve credentials for natas22. “. This time around, the application also displays a note: ” Note: this website is colocated with http://natas21-experimenter.natas.labs.overthewire.org “. The application also sets a PHPSESSID cookie like the last time. Since, there are no input fields in this application, let’s have a look at the source code.

The source code contains print_credentials() function like the previous levels and checks if the SESSION dictionary has an admin key and if that key is set to 1. No other input functions are present in the source code. Let’s login to the collocated location of the application using the credentials for this round and do some reconnaissance.

After logging in, we can see that the application is used to change the CSS behavior of the application. The following lines of code seems interesting:

if(array_key_exists("submit", $_REQUEST)) 
{
    foreach($_REQUEST as $key => $val)
    {
        $_SESSION[$key] = $val;
    }
}

As we can see, the application uses the variables sent in the POST request and saves them in the session variable. The application does not run any checks whatsoever on the integrity of the request variables. Therefore, if we inject our own variable in the REQUEST, we can store an admin key in the SESSION and set it’s value to 1.

 

As we can see above, the debug statement prints the values of the SESSION variables. In this case, since the applications are colocated, I’m hoping that they share the same SESSION key, therefore, whatever is set in the SESSION using this page would also be available on the main page if we use the same SESSION key. Let’s make a request to the main page and submit this cookie.

 

As we can see, the application assumes we are the admin and prints out the password for the next level.

 

Level 22

Username : natas22
Password : chG9fbe1Tq2eWVMgjYYD1MsfIvN461kJ
URL : http://natas22.natas.labs.overthewire.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s