Session ID Hijacking With Python | OverTheWire Natas 19-20

We covered OverTheWire Natas 19-20 level. This level was similar to the previous level but with the session ID no longer generated sequentially and in the new challenge, the session ID is generated using a range of numbers from 1 to 640 and then combined with the username used to login and lastly the final string is hex encoded. Using python scripting were able to identify the pattern used in creating the session ID and find the one associated with the admin account. . This was part of OverTheWire War Games Natas Level 19-20

Get OSCP Certificate Notes

Challenge Introduction

Upon visiting the Level 19 login page, we’re greeted with the following message:

“This page uses mostly the same code as the previous level, but session IDs are no longer sequential.”

Additionally, no source code is provided ; this means we’re now in a black-box testing scenario.
The goal remains the same:

“Log in as admin to retrieve the credentials for Natas 20.”

Observing the Cookie Behavior

Let’s begin testing by logging in with a test user, e.g., test2.

1. Enter the credentials and login.
2. Open Developer Tools → Application → Cookies.
3. Copy the session ID assigned to the browser.

Now let’s decode the session ID using CyberChef:

• Decode from Hex → ASCII
• Result: CopyEdit380-test2

This reveals an important insight:

The username is part of the session ID, encoded in hexadecimal.

Testing More Usernames

Let’s test another user to confirm the pattern:

1. Delete the previous session cookie.
2. Login using: test5
3. Observe the new session ID in DevTools.
4. Decode it in CyberChef: CopyEdit383-test5

Same pattern again: a number prefix, followed by the username.

Let’s now try admin users:

• Login: admin1 → Cookie: csharpCopyEdit[number]-admin1
• Login: admin6 → Cookie: csharpCopyEdit[number]-admin6

This confirms a consistent session ID format:

cssCopyEdit[number]-[username]

All encoded in hexadecimal.

Understanding the Session Format

From our observations:

• The username is clearly embedded in the session ID.
• The numeric prefix varies by user and appears to be within a predictable range (just like Level 18, where the max was 640).

Therefore, we hypothesize:

Admin’s valid session ID is somewhere between 1 and 640, prefixed before the string admin, then hex-encoded.

We’ll brute-force all combinations from 1-admin through 640-admin.

Automating with Python

We’ll automate the attack using a Python script. Here’s how it works:

1. Define Target URL & Credentials
   • Use basic HTTP authentication with the Level 18 credentials.
2. Set Range
   • Session IDs will be generated from 1 to 640.
3. Hex-Encode the Session
   • For each iteration:
     • Convert the number to a string
     • Append 'admin'
     • Encode the result to hexadecimal (e.g., 281-admin → 3238312d61646d696e)
4. Send Requests
   • For each encoded session ID, send a request with it as the cookie.
5. Check Responses
   • Analyze responses for a successful login (e.g., response contains: “You are an admin”).

Sample Code Snippet

import requests

url = 'http://natas19.natas.labs.overthewire.org'
auth = ('natas19', 'YOUR_LEVEL_18_PASSWORD')

for i in range(1, 641):
    session_id = f"{i}-admin".encode('utf-8').hex()
    cookies = {'PHPSESSID': session_id}
    response = requests.get(url, auth=auth, cookies=cookies)
    
    if "You are an admin" in response.text:
        print(f"[+] Success with session ID: {i}-admin")
        print(response.text)
        break

Wrapping Up

This concludes Natas Level 19. Here’s what we covered:

• Identified session IDs containing encoded usernames
• Discovered session ID format: [number]-[username]
• Brute-forced session IDs using Python
• Successfully accessed admin credentials

To proceed:

• Change the URL from natas19 to natas20
• Use the retrieved password to begin Level 20

Video Walkthrough