 Natus level 20 introduces the page in a different way than the previous levels like Natus 18 and Natus 19 did. Immediately we are already logged in as supposedly as a regular user, but we have to modify the credentials and log in as admin to retrieve credentials for Natus 21, the next level. So we have a form here that allows us to post another HTTP method to index.php, this homepage here, and the functionality looks like it's asking for a name, like we can change our name of whatever user we're logged into. To verify this, let's take a look at the index source. We can go ahead and browse to that page here with our Python script. And let's go ahead and take this, remove all of the break lines that are in the way and let's de-entitize this thing. I did that out of order, so de-entitize. Does that work? Hello. Okay, cool. I don't know why I said hello. Talking on the phone here. All right, so the source code that we have gives us a debug message that looks like it's enabled once we actually run get requests with the variable debug, and if that's present. Normally I've ignored this, but we are gonna need it in this level, so that'll get a better idea of what's really happening here. The function print credentials looks like it is being run because it tells us originally you're logged in as a regular user, logged in as the admin to retrieve credentials. So we're trying to determine whether or not the session little dictionary in PHP has this admin index, this admin value, and make sure that that is set to one. I guess it's an associative array in PHP, whatever, but we wanna make sure that session admin is set to one. Okay, that's the goal here, and then we get the password for the next level. So it looks like that this program defines a lot of boilerplate functions that are trying to handle how a session or a PHP session is stored and saved. We can scroll down a little bit earlier and we see other functions like MyDestroy, MyGarbage, et cetera, and these are set as the handlers for the default PHP session, handler, or how that's really operated and done in PHP. So since we're using these custom-made functions, we have the code here that's visible and we might be able to do something villainous if we really wanted to. So things like MyOpen, MyClose, MyDestroy, MyGarbage are noted as we don't need these things, they just kind of return true and they aren't really anything interesting. But what we have here is this functionality that lets us change the name variable, just like we saw in that form. If we actually post the page, make a request and set the name, it will go ahead and create a session variable for that. It displays the credentials and if the right key exists, it gets it, et cetera, et cetera, and we just have our form. So the interesting things here are these custom functions, MyRead and MyRight, because they're the only valuable ones really being used for handling our session. So MyRead is interesting because it says, okay, I'm gonna read out of a session ID and it tests is the string matching these characters here or they not equal to the length or whatever and it looks like that just determines whether or not it's a valid session ID. So some kind of handling determines in a right form. And then it stores these in a file, a file name that it determines a path for and whether or not it exists, it will handle it appropriately. If it does exist, it will read from it. It looks like it gets the contents of it, it creates an array for the session variable and it will process it bit by bit. That explode function in PHP will take a string and explode or split it up into an array or a list given a specific delimiter. So our new line here just breaks it up line by line and you can see this debug statement here, it's reading each line by line and then it explodes by spaces and it determines each specific part or segment of the line that it's reading. So if it's not nothing, if it's not an empty line, it sets a session variable to the other part of that line, like key value, we have a key pair here. Okay, that looks peculiar because that can probably be taken advantage of. So it's reading out of that session file. Now let's determine how is it getting written to? How does the my right function work? We get our debug message, we test if it's in the correct form again, we get the same file name, saving and we sort by keys the session variable for each session variable that we have, we denote the debug here and we add it to a string that we're originally appending to as from nothing and we build out a new file based off of that because we're using file put contents. Okay, so let's actually play with this now in code, now in experimenting with the level. Because we're in Python because we're using this response.text session that we're able to work with, we can handle multiple calls all in code because we're doing this code like this. So let's actually have a divider here because I wanna show you the development in this. By default, we are still going to the source code. So let's first fix that. Let's go to the original page. It tells us you're logged in as an individual as a regular user, nothing special. Let's turn those debug methods on by changing this link here to include HTTP get variables. So following with the question mark, debug can equal really anything but I'll just say true for your ability and we'll check out what this content is. It says, okay, debug my read, blah, blah, blah. This must be the random thing that's created. It says, okay, this session file doesn't exist. So it must have been created and that's why at the very end of the page we see the my write function being ran and the saving it in var lib PHP. So whatever file on the server that this session is being stored into. So we're operating in a session, right? Every time I run this program, run this Python script we're gonna get a different string as our session string. So what I'm going to do is just make multiple calls but I'm not going to, I'm gonna keep adding to the current script we're working with. Let's go ahead and see if we can change our name or let's, before we get into that let's see are we keeping the same session following this or after we, if we get another request here. We say, okay, let's get a random one. The session file doesn't exist. We write to it and then in the second call using our dividers to tell us a second call we see, okay, now that file does exist because we created it. There's nothing really in there so it was able to read nothing but we should have some other variables we can put into it because of that change name functionality. Now let's try and include a name that we can post to it. Let's make a call to post with data being name can be plus sub. Now that we've posted to it. Again, session file doesn't exist. It will create it. Now that we've made a post we have set debug statements out here. Name is set to please sub and we write in here the, in the session file we're setting name, a string, a six character length to contents please sub. Final call, once we run get we are reading here, reading from varlib. Red name is please sub. Okay, so we were able to do that and in my write function it still keeps the name here. Now let's see if we can inject something or get in the way of this read and write function because it doesn't look like they're sanitizing anything at all in that source code if they're just splitting up variables line by line and with a space in between each thing we could just as easily add a new line and change whatever session variables we really wanted to. Oh, you know, like admin and set admin equal to one. So let's go ahead and try that. In our code, when we're making our post request we can say name please sub or whatever we really wanted to but if we had a new line character backslash n now we can set any other session variable to whatever we want because we're getting in the way of that session handler admin and set it to one, right? Cool. Let's go ahead and take a look. If I run this code at the very, very end after we've established the session and then after we've modified it now we can check back. It says, awesome. You are an admin. The credentials for the next level are NAT is 21 and the password right here. So I hope that makes sense because we were able to just read the source code see how it's determining these variables getting saved and loaded essentially from the PHP session with those custom handlers and we're able to take advantage of them. So sweet. Let's go ahead and save this now. Create a new script, NATS 21 and we don't need all this junk but we do want to move to the next level here and we've got the next level. Okay. So thank you guys for watching. I hope you enjoy this. If you do like these videos please press that like button and I'm getting my words stumbled. Maybe leave me a comment, let me know what you think, what you'd like to see next, what I can do better, how else you solve this. If you're willing to subscribe and if you really, really want to support me please check me out on Patreon. On that note I want to give a special shout out to Spencer Clark who is currently supporting me on Patreon. If you do support me I'll give you a shout out in literally every single video. Five dollars or more I'll give you early access to just about everything I release on YouTube. So thanks for watching. See you soon.