We covered OverTheWire Natas 19-20 level. In this level, the web application used an if statement to verify if the user input contained certain words to whether grant admin access or not. The PHP code stores session ID values in a file as key/pair and in order to pass the condition, we need to send a payload in the form of key/pair. We used admin%201 as a key/value in the request to pass the condition and get access to the password of the next level. This was part of OverTheWire War Games Natas Level 19-20
Understanding the Challenge
I started by diving into Natas Level 19 of the OverTheWire CTF game. The goal was to get from Level 19 to Level 20 by finding admin credentials. Unlike the previous level, I quickly realized that brute-forcing session IDs wouldn’t work because they weren’t sequential anymore. Since the source code wasn’t available, it was a classic black-box testing scenario. My main objective was to log in as an admin.
Analyzing Session IDs
My first step was to log in with a regular user, like “test2,” and inspect the session ID cookie. I used CyberChef to convert the hexadecimal session ID into ASCII text. What I found was interesting: the username I used for login was part of the decoded session ID, often preceded by a number (e.g., “380test2”).
I repeated this process with other regular users (“test5”) and then with known admin users (“admin1”, “admin6”). A clear pattern emerged:
- Regular users’ session IDs had a specific hexadecimal prefix.
- Admin users’ session IDs had a different, distinct hexadecimal prefix.
- It seemed the username was appended to a number, and that combined string was then hex-encoded to form the session ID.
Formulating the Attack (Session ID Hijacking)
With this pattern in hand, I devised a strategy: session ID hijacking. My plan was to find the correct number that, when combined with the username “admin” and then hex-encoded, would grant me admin access. I assumed the target username was simply “admin.” I identified the hexadecimal representation of “admin” and decided to iterate through numbers (from 0 to 640, based on a range seen in a previous challenge’s session ID generation) to combine with “admin,” hex-encode the result, and test each one.
Automating with Python
To make this process efficient, I used a Python script to automate the brute-forcing. Here’s a breakdown of the script’s logic:
- It defined the target URL and the credentials for basic HTTP authentication.
- It set the range for the numbers to be tested, from 1 to 640.
- A
whileloop iterated through each number in this range. - Inside the loop, the current number was converted to its hexadecimal representation.
- This hex number was then concatenated with the hex representation of “admin.”
- This combined hex string was set as the
PHPSESSIDcookie in an HTTP request. - The script then sent the request and checked the server’s response.
- The script also printed each session ID it attempted.
While there weren’t direct terminal commands for the attack itself (as it was handled by the Python script), the core conceptual logic for constructing the session ID was:
Python
# For each number in the range (e.g., 1 to 640)
number_hex = hex(current_number)
admin_hex = "61646d696e" # Hex for "admin"
session_id_value = number_hex_formatted_appropriately + admin_hex
# This session_id_value is then used in the Cookie header
More specifically, the script showed:
hex_number = hex(i)[2:].zfill(2)(or similar logic for formatting the number to hex)cookie = hex_number + "61646d696e"(combining the hex number with the hex for “admin”)
Successful Exploitation
The script eventually found a session ID that granted admin access! The decoded version of this successful cookie was “281admin”. When the server responded to this session ID, it confirmed: “You are an admin. The credentials for the next level are: natas20 [password]”.
Natas 21 Password
89OWrTkGmiLZLv12JY4tLj2c4FW0xn56
