We covered OverTheWire Natas 19-20 level. This level was similar to the previous level but with the session ID no longer generated sequentially and in the new challenge, the session ID is generated using a range of numbers from 1 to 640 and then combined with the username used to login and lastly the final string is hex encoded. Using python scripting were able to identify the pattern used in creating the session ID and find the one associated with the admin account. . This was part of OverTheWire War Games Natas Level 19-20
Challenge Introduction
Upon visiting the Level 19 login page, we’re greeted with the following message:
“This page uses mostly the same code as the previous level, but session IDs are no longer sequential.”
Additionally, no source code is provided ; this means we’re now in a black-box testing scenario.
The goal remains the same:
“Log in as admin to retrieve the credentials for Natas 20.”
Observing the Cookie Behavior
Let’s begin testing by logging in with a test user, e.g.,
test2
.
- Enter the credentials and login.
- Open Developer Tools → Application → Cookies.
- Copy the session ID assigned to the browser.
Now let’s decode the session ID using CyberChef:
- Decode from Hex → ASCII
- Result: CopyEdit
380-test2
This reveals an important insight:
The username is part of the session ID, encoded in hexadecimal.
Testing More Usernames
Let’s test another user to confirm the pattern:
- Delete the previous session cookie.
- Login using:
test5
- Observe the new session ID in DevTools.
- Decode it in CyberChef: CopyEdit
383-test5
Same pattern again: a number prefix, followed by the username.
Let’s now try admin users:
- Login:
admin1
→ Cookie: csharpCopyEdit[number]-admin1
- Login:
admin6
→ Cookie: csharpCopyEdit[number]-admin6
This confirms a consistent session ID format:
cssCopyEdit[number]-[username]
All encoded in hexadecimal.
Understanding the Session Format
From our observations:
- The username is clearly embedded in the session ID.
- The numeric prefix varies by user and appears to be within a predictable range (just like Level 18, where the max was
640
).
Therefore, we hypothesize:
Admin’s valid session ID is somewhere between
1
and640
, prefixed before the stringadmin
, then hex-encoded.
We’ll brute-force all combinations from 1-admin
through 640-admin
.
Automating with Python
We’ll automate the attack using a Python script. Here’s how it works:
- Define Target URL & Credentials
- Use basic HTTP authentication with the Level 18 credentials.
- Set Range
- Session IDs will be generated from
1
to640
.
- Session IDs will be generated from
- Hex-Encode the Session
- For each iteration:
- Convert the number to a string
- Append
'admin'
- Encode the result to hexadecimal (e.g.,
281-admin
→3238312d61646d696e
)
- For each iteration:
- Send Requests
- For each encoded session ID, send a request with it as the cookie.
- Check Responses
- Analyze responses for a successful login (e.g., response contains: “You are an admin”).
Sample Code Snippet
import requests
url = 'http://natas19.natas.labs.overthewire.org'
auth = ('natas19', 'YOUR_LEVEL_18_PASSWORD')
for i in range(1, 641):
session_id = f"{i}-admin".encode('utf-8').hex()
cookies = {'PHPSESSID': session_id}
response = requests.get(url, auth=auth, cookies=cookies)
if "You are an admin" in response.text:
print(f"[+] Success with session ID: {i}-admin")
print(response.text)
break
Wrapping Up
This concludes Natas Level 19. Here’s what we covered:
- Identified session IDs containing encoded usernames
- Discovered session ID format:
[number]-[username]
- Brute-forced session IDs using Python
- Successfully accessed admin credentials
To proceed:
- Change the URL from
natas19
tonatas20
- Use the retrieved password to begin Level 20
Video Walkthrough