Saturday, November 22, 2014

Natas 21

Natas 21 looks like it'll be something new -- two colocated webpages, one that displays the normal "you are logged in as a regular user" text and one that lets you edit the webpage's CSS settings.

main page

 colocated page

Looking through the source code, it looks like the main page looks a lot like previous levels. If $_SESSION["admin"] == 1, then you'll get to see the passphrase for the next level.

source code for main page

If we assume that sessions are shared across the two site (since they're co-located), then any changes we make to the session of a user on the secondary website should affect the session of a user on the main page too.

If we submit the form on the CSS editor page and intercept it with BURP, we can add additional POST parameters -- specifically the "admin=1" bit:

If we note down the PHPSESSID variable for this session, and submit a request as that user on the main page, the PHP script will give us the password to Natas 22!

No comments:

Post a Comment