 So, Natus 19 from the Over the Wire War game starts out in the prompt and page telling us that this page uses most of the same code as the previous level, level 18, but session IDs are no longer sequential. It gives us the prompt, please log in with your admin account to retrieve credentials for the next level, Natus 20, and we see this form with the HTTP post method to index.php. But there is no link to view the source code in this level, so we're just going to have to operate under the assumption that, again, this page uses most of the same code as the previous level. So, in our Python code, let's actually take a look at what we have here. After we make this request, we can see what our session cookies are. Because we're using a session to request this page, we should be able to determine what the actual cookies are following this. So, we can print out session cookies, and let's go ahead and check out the output. Right now, it should be nothing because we haven't actually posted to the form. Let's go ahead and do that. Create a new response here, but instead of running a get command for HTTP, we'll run a post, and the data there had a username and password field, so that will have to be a Python dictionary where we say username can be please and password string can be subscribe. Okay, so let's actually display the text with it, but let's have the session cookies come with as well. We'll just have a divider there. So, as I run this, you can see over and over again, if I keep pressing control B to make this request, interesting things are happening because we can see a cookie that PHP session ID again, previous level level level 18, that is 18, we were working with brute forcing the PHP session ID. So in this case, it looks like we have kind of a random number, but not like we used to. It looks like the first couple numbers are changing three, three, three, etc. Three, two, three, one, etc. over and over and over again. But the last bit does not change. So I was curious why that is. And it looked like it was almost dependent on the username, because after some testing, I changed this to like, John. And we have a different result for that PHP session, just at the very, very end. But if we keep looking at the three leading at the beginning of the string, or these numbers here, those tend to be the same pattern. So I tried to check this out a little bit more. I changed the username to actually nothing and still logged in with a password supposedly. But the numbers that we're seeing, I'll shrink this text a little bit so that won't scroll for us, three, five, three, four, three, one, etc. Three, two, three, seven, three, zero, etc. But that 2d at the very, very end tends to stay there the whole time. And I was curious what that really is, because this doesn't look like a hash. And since it's variable on the username, that couldn't be the case because we're not going to have a length of 32 or whatever hash length may be apparent there. So I tried to check out what are these numbers in other representations or and that 2d looked odd to me. So I actually determined what some of these things might be in hex because we have a d here and the numbers that we've seen earlier, we had a 6e, etc, etc. It didn't look like we went to any letter as higher than f. And I thought, okay, maybe this is hex. So I tried to check that out and I'll show it here in idle. Let's decode that string from hex and we get five, six, five and a hyphen here. So that 2d must be the hyphen and then the numbers must be changing. Let's actually print out session dot cookies. And let's get that PHP session ID just like that. And let's decode that from hex. Cool. Great. Now I wonder if I can do this a couple more times just to showcase this. So it looks like we're getting a random number and a hyphen and whatever we pass for our username. Is that right? Yeah. Looks like that username is also hex encoded and the numbers that we've seen before look to be bounded probably the same way they were in level 18. They were from zero to 640. Okay. So that kind of fills in the color of this picture. And now we can put together an attack to try and find what admin credential or what admin PHP session ID there might be the same way we brute forced it last time, we're brute forcing it again. But now we'll just have to hex encode that cookie that we know the original of and try and find the correct number. So let's try that. Now let's say for iron range 641 again. We've got a session and we want to see what is the cookie that we can give it. Probably just a get request now because we're going to pass in a cookie already prepared with the PHP session ID already set to our number. I'll just stringify that with the hyphen. It should be percent D for a decimal or a digit, I guess, and then admin because we want admin to be the password here. And we want to encode that with hex and don't forget that we need to actually percent in here inject that I or whatever we're iterating on. So let's print this out just to see what we've got. Let's print out this whole thing. And then let's print out what the response text is. Let's do this for only a couple requests so we can see it in action. There's that session ID session ID again, etc, etc, etc. And it says your login is a regular user. I was going to say regular loser again. So now let's try and determine if it says you are an admin. I want to make sure that's the correct string that we had the same way it was in the last level. It says, yeah, you are an admin. If you are an admin is in the response, then we've got the correct session ID. If you are an admin in response dot text, we can print got it with the integer that we're trying. And let's break this and we'll print response dot text. Otherwise, we will keep moving. So another is we don't really need one. So I'm going to go do this in the terminal. I just killed my sublime text, but we can Python, not as 19. And we'll start to run through it. Okay, something strange happened. Oh, no, we actually just forgot to increase that loop counter. Because now we want to go to 641 and go all the way to where we could. I should background those. Now we'll keep moving. And I will pause the recording right here as this increments. If we wanted to, we probably could have just put the number to display rather than the PHP session ID, but it looks like we're doing some lead hacking here. So I'll pause recording and I'll get back to you once we've got the credentials. Okay, so the script finished, it says got it at 89. Let's get sublime text open. I'll background it this time. And oh, I put the break before it, whatever. Let's try and just make this get request with the 89 as the correct ID number. And let's print response dot text. If I run this, you can see it over on the side here. Session is not defined because I commented that out. How do we do? Excellent. You are an admin. The credentials for the next level are Natus 20 and the password here. So that's the attack or quote unquote attack, but just a little bit of experimentation and poking around and trying to figure out what really was that original PHP session ID. But again, very, very similar to the previous level, level 18. So let's go ahead and save this as Natus 20. And we'll start to examine what's next for us in that level. So thank you guys for watching. I hope you're enjoying this series. I hope you're enjoying these videos. If you do like the video, please do leave a like, press that like button. Maybe leave me a comment. Let me know what you think. What else you'd like to see later in a future tutorial or video. If you're willing to subscribe. And if you would like to help me out, support me, please head over to my Patreon account and do whatever you're comfortable doing. So on that note, I want to give a special shout out to Spencer Clark, an individual that just recently wanted to support me for Patreon. I have a reward that I'll give you a shout out in every single video that I do like literally ever. So props to you, Spencer. Thanks for your help and thanks for your support. Really hope to keep making quality content for you guys.