We covered OverTheWire Natas 19-20 level. This level was similar to the previous level but with the session ID no longer generated sequentially and in the new challenge, the session ID is generated using a range of numbers from 1 to 640 and then combined with the username used to login and lastly the final string is hex encoded. Using python scripting were able to identify the pattern used in creating the session ID and find the one associated with the admin account. . This was part of OverTheWire War Games Natas Level 19-20
Video Transcript
What’s going on guys welcome back to this video today we will be doing over the wire CTF games and we’re going to be doing love and lighting so we move up to another 19 into level 20.
Okay so we visit the URL and we see a login form the title says this page uses mostly the same code as the previous level but session IDs are no longer sequential
so basically if you go to the previous level if you remember the previous level we were brute forcing session IDs so session IDs where predictable and assigned a numerical value in the code that’s not good from a security perspective.
Because you can Brute Force
the security ID or the session ID and basically find out what is the session ID associated with the admin account that is what we did in the previous video but now this is no longer the case because it says session IDs are no longer sequential additionally we are not giving the source code meaning this is a black box testing.
Please login with your admin account to retrieve credentials for natives 20 so if we log in now with anything to test the response of the web application.
Since we are testing session IDs we want to take a look now at the session ID of the user we use to login that is Test2 so we right click and we go to inspect now from here we go to application
and we highlight the cookies I will take a note of the session ID this is the session if we copy that and go to cyberchef.
From hex now we convert the value from hexadecimal into the corresponding ASCII text as you can see the result is 380-Test 2 so the user we have used is part of this session ID.
To understand this more we need to go back and login with a different user and see how decision ID will be will differ so we delete this cookie from here
we go back to the main page and we type this time test5 login again we go to inspect we expect the cookies we click the session ID we go to cyberchef we paste the session ID
and indeed this is the session new session ID so see guys the username we use is always added as part of the cookie before the hex encoding
this time and this time Test2 and test5 and there is a number between before the username.
This time we’re going to try to login with an admin account so admin1 password is admin 1 and now we want to take a look at the cookie
copy the cookie so that’s the new cookie guys so again it includes the username admin1 and before the username there is a number let’s now try with another admin user
so we delete the last cookie admin6 this time take a look again at the cookies and again as you can see admin6 is part of the cookie and before the username there is the number
now you see there is a pattern so when we first we’re logging in with regular users as you can see the cookies they seem to have common parts starting with the 2D 2d74657375 this is the common part for the users or regular users.
If we go to the admin users and highlight the common parts in their session IDs we can start from here so what do we need to do
we need to assume that we want to get access to the user admin only admin to be able to do that we need to find out where is the admin portion in hexadecimal
so it seems to me that this is the admin portion in hexadecimal to confirm the suspicion as you can see the admin part so we need to keep this admin part constant in our fuzzing and we need to find out the correct number.
So basically we’re gonna accurate through like numbers from zero till 640 okay because 640 was the maximum number used to generate the session IDs if you remember from the last challenge so from 0 to 640 these numbers are generated according to that range from 0 to 640 so we want to go through these numbers okay from 0 to 640 and try them out with the admin and she would which one grant us access so basically we’re doing brute force and fuzzing at the same time
let’s see that how this looks in a python script.
Okay so the first thing we do we Define the target this is the URL we’re gonna navigate to and these are the credentials and we’re going to simulate
basic authentication using the HTTP protocol with the credentials from the previous level alright next we Define the parameters that control the PHP session ID they are the maximum and
the lowest and highest number the lowest number is one and highest number is 640 again according to the previous challenge so between these two numbers we will be generating the session IDs so then we go through a while loop here so in the while loop we want to try every possible session ID okay the session ID is composed of two bits the first bit is the number in the range between 0 and 640 and the username itself we want to test these numbers but we want to keep the username constant which happens to be admin to do that so this is the admin part
in HEX and this is how we converts the number between 1 and 640 into hex so as you can see we take it from
the While loop from here so first the first number will be one and then we increase them by one every time we go through the loop
and we convert that into hex at the end decision ID comes as is hex.
The hex format plus the admin parts this is the hex format and this album part we add them together to get this formula the number and username and then we test this in a basic request through the headers and response variables. Next we run the script now this will or the spread the script will print every possible session ID that is generated during the process okay
now all of these session IDs are being attempted in a live fashion against their application.
So that was the session ID that generated the correct response that we wanted so let’s take a look copy that and we go to the browser as you can read all of this so it is 281-admin that’s the correct number that generated the cookie which rendered the this output so.
if you go down we can see this response you are an admin the credentials for the next level are not as 20 and this is the password so effectively this concludes the current level
and we can now attempt to log into the next level by changing the 19 in the URL into 20 okay so let’s try the password and now we are in the level 20 we will do this in the upcoming videos guys for now I conclude this video and I want to thank you for watching I will see you later.
Video Walkthrough
