 What's up YouTube? This is John Hammond and we're looking again at the Natus war game from over the wire so now we're on level 18 and Let's go ahead and run our script to see what it is that we are actually working with here Looks like the page returns. Please log in with your admin account to retrieve credentials for Natus 19 Okay, so this doesn't look like the sequel injection or the Command execution that we had seen some of the other levels. Maybe this is something new We have a username and password input fields here But let's take a look at the source code and try to analyze what we can Paste that in the for our get request and now we can de-entitize what that returns for us and remove all the break tags with some Find and replace magic. So the PHP code starts out telling us we have a max ID variable set to 640 the comment here 640 should be enough for everyone don't entirely know what that means just yet So we'll keep reading Here's one function is valid admin login Determines if the request username is equal to admin this method of authentication appears to be unsafe and has been disabled for now Okay, so it just that function returns zero it pretty much does nothing just just return zero, okay But that kind of nerfs our ability to log in as admin because if we were to Pass along this request with the username field just trying to log in as admin it wouldn't work for us. So, okay Whatever that's not gonna do anything. It just returns zero. So this function is valid ID Just determines whether or not it's a number the argument that's passed to it. The idea is a number create ID User Doesn't look like user is actually used in this function But it does take advantage of this max ID variable It's global scope right on the outside and it creates a random number from one to six hundred and forty That's what that ran function does. Okay, so create ID is kind of random Debug messages we can use with a get parameter That's pretty handy to know in case it gives us any valuable information, but my session start looks like it will Determine whether or not a session ID already exists in the cookie a php session ID and if it's a valid or not If that is the case It will go through with this code. If not, it does nothing. There is no else statement with this. It looks like so If the session has not already started looks like it will just say it fails or turn false Otherwise, it will create a new session Determine if you're an admin and debug Okay, it looks like it closes that admin variable There sets that session admin equal to zero Okay, so that locks us out again of being admin that still won't work, right there's is valid admin log and return zero session admin being set to zero so it Session was old admin flag set resets us. So it looks like it never really lets us be that session admin Yeah, even this session admin equals zero, but later on in this Print credentials function. It looks like it's trying to determine if session admin is equal to one Then it will say you're an admin credentials from next level are here So we have to set session admin to one But we can't in this code At least what we've read so far Well, otherwise we're logging as a regular user a regular user. Sorry log in to admin to retrieve credentials Huh If the session has started it will display that Otherwise it will Read the read the request for us Session admin is going to be zero because that is valid admin login is zero And it will show the form if we haven't if we haven't logged in. Okay, so let's just Try it out Let's go ahead and make a get a post request here. We'll pass in the data Make sure we actually post to the real page not the source code I'm going to change the URL up there Username can equal Please And password Can be subscribe Shameless self advertisement Run this So we get here your login as a regular user login as an admin to retrieve credentials for natus 19. What the heck? Okay I don't know Why we Aren't an admin other than the fact that I tried to log in as Please subscribe so clearly we're not going to be an admin just like that Let's print out what cookies we have here because it looked like in the source code It was showing us The php session variable php session id being set to 260 So that must be what that source code gave us as the random number random between 1 and 640, but There's no way we could otherwise be an admin Because it wouldn't it wouldn't let us use any of those like session admin variables. So maybe Is is one of these session id is just just the admin id? I'm going to do a little bit of research here. Let's fire up fire fox And I just wanted to show this to you because php session id Is something we should probably get to know Uh, I know there is a php session id php.com like article on this thing There's gotta be session id php sess id will actually tell us what this thing is Okay, it looks like it just gets in sets session functions It won't tell us anything about what that php session id is Other than there is one and it looks like it has to be stored Stack overflow php uses two methods of keeping track of sessions cookies are enabled like in your case it uses them Okay, so that must be what we're working with so looks like we have to change that cookie variable php session id To one of the numbers between 1 and 640 because maybe one of them will be an admin id So let's try that. Let's get the page with a session id set to something else. So let's get with cookies equals php session id set to 1 right, it's got to be a string here I don't need the cookies anymore Because I'm pretty trusting it will return says your login is regular loser a regular loser Um, and let's actually move move forward from this here because we want to see okay that one clearly wasn't the admin user So what else can we get that might be? We want to determine in a loop Because we're getting the page over and over and over again with a new session id if we are the admin so if you are an admin Was the string that was in it, right? Let's see content response Dot text can just be the content variable that we're working with in content Actually, probably want that down here print got it and then print the content just print trying id or session id and we will loop through for session id in range of one to six hundred and forty We can go up to 641 since that will be inclusive here and let's Run string of our session id Um Before we run do this I should have actually checked that or save that source code because I wanted to know what that would be That string because I honestly honestly forget. So let's just check Let's just do one more get request to make sure that is the correct string Determining if we are not an admin. Let's print response dot text De-entitize I really should just save this code. I'm sorry. I didn't You are an admin. Okay. That works just fine for us. Good. Uh, let's put this in a new pane in case we need it again and Let's start the attack session id get with the cookies php session id being set as The string here getting the content determining if you are an admin is in the content If it is it will get it and then otherwise it will print trying session id And let's see how this looks. I'm gonna do this in the command line So we can python that is 18 dot pi trying 1 2 3 etc etc etc So I'll let this run and Actually, I should probably put a break when we get it And then print the session id that we got Now let's run this And I'll pause the video so I'll pause the recording. So once it's done We can see what the password is. So I ran through it and it didn't work So let's take a look at the code and see what's wrong Oh, we were sending that to the source code all along I'm a fool So that code probably would have worked I'm gonna let this uh Pause the video here pause the recording so I can see Okay, so the script returned now and I did get the correct session id at id number or admin id at id 138 So here we've got the password You are an admin the credentials for next level are natus 19 password This guy And that's it So the session id We're passing in to our request but Since that's not part of the session object, it doesn't look like it's staying in the session object itself It looks like it's just going for that request So that's peculiar note And I really want to apologize about sending it to the wrong Page up there with the index or still in the url. I'm sure you were probably screaming at me the entire time I need to remember to change that But thank you guys for watching. Hope you enjoyed this. Let's go ahead and put this new Um new password in a new script. Let's put this in natus 19 And Let's go ahead and see what this level is asking us to do Cool All right. Well, hey, thank you guys for watching. Hope you're enjoying these videos If you did like the video, please do hit that like button Leave me a comment. Let me know what you think what you like what I can do better What else you'd like to see Please subscribe and if you really really want to support me Please head on over to my patreon account. So thanks again guys. I'll see you in a later video