We covered OverTheWire Natas 19-20 level. In this level, the web application used an if statement to verify if the user input contained certain words to whether grant admin access or not. The PHP code stores session ID values in a file as key/pair and in order to pass the condition, we need to send a payload in the form of key/pair. We used admin%201 as a key/value in the request to pass the condition and get access to the password of the next level. This was part of OverTheWire War Games Natas Level 19-20
Natas 21 Password
89OWrTkGmiLZLv12JY4tLj2c4FW0xn56
Video Transcript
As you know Guys, OverTheWire CTF Natas are a collection of web application penetration testing challenges so if you want to strengthen your knowledge or strengthen yourself in the area of web application penetration testing , I advise you to go back and watch all of the walkthroughs that I did for Natas starting from Level 0 all the way to level 20.
To retrieve credentials for natas level 21 so you might think oh, this is so simple. Let’s go ahead and type admin to login but the button does nothing you just click on the button and it does nothing.
If we view the source code. What matters for us is this variable session set save Handler.
Okay, and it contains these values and these values correspond to be values to call functions in the code which perform the assignment of session IDs to users.
Mainly here are three important functions in this PHP code; mywrite, myread and print_credentials.
Session IDs are generated in a filename in the form of key pairs separated by a space. The function print_credentials contains an if statement that checks on the entries of the file used to hold the session IDs. If it finds an entry of key as an admin and value as 1 it will print the credentials of the next level.
So using Burp Suite, we intercept a request and pass the payload in the name parameter so that
name=admin%0Aadmin%201
and doing that along with attaching ?debug to the request, the full URL becomes like the one below
http://natas20.natas.labs.overthewire.org/index.php?debug&name=admin%0Aadmin%201
When we pass the above as a GET request we will retrieve the credentials for Natas level 21.
Video Walkthrough