 So, NATIS-21 of the Over-the-Wire Wargame starts us off with the same kind of notification as earlier. Your login is a regular user, login is admin to retrieve credentials for the next level. They give us a note here, though. They say the website is co-located with another URL, NATIS-21 Experimenter. And that's peculiar. We'll have to note that, and we'll check out what the source code is. Before I do that, I want to snag that experimenter. Just that URL. It doesn't look like it needs a username in there at all, but let's actually check out the source code for this original page before we move on. Let's go ahead and de-entitize that and remove all the break tags, just like usual, so we can pretty much see the source code and let's put it in a new page. So it's easy to see here. So it doesn't look like there's anything interesting in this page, other than it just gives us... Here's the function source code for the print credentials thing, determines whether or not we're a user and would give us the flag or the password for the next level, and that's all it does. So looks like that experimenter link is where we have to go next to be able to move on. So let's head over there. I'm going to just copy this and let's change the get URL to experimenter. Check out that web page and source code. So that is 21 CSS style experimenter. This website is co-located with the original page. That's fine. Example, background color yellow, blah, blah, blah. Looks like you can change the colors of the page here supposedly in this form. That's the functionality of this web page. Whatever. We care about the vulnerabilities. So let's go ahead and take a look at the index source code here and see if we can read how that may have a vulnerability. Index source.html, just add it to the link here. Let's also de-entitize this, kill all the breaks and store this in another pane in case we need it again. So PHP code here, a little bit more active than the previous page. We have a session that we're working with. If update was submitted, store it. So if array key exists, submit request. So essentially, if they submit to the page, every single key in the request is actually stored in session. That's awesome. That is probably how we're going to be able to become admin. Looks like that's pretty much a vulnerability. Whatever we request to it, we'll just store in a session. And if we're using session to determine whether or not we're going to get the password, then that's it. Looks like that a bug messages go through. If we include that. This code looks like it's trying to filter keys down here. There's a loop that determines whether or not it is inside the valid keys, and then it will add it to the session key, but it looks like that already happens. This exact line is already being ran up here. Okay, whatever. Looks like we can still take advantage of that. So let's see if we can get the session admin variable updated. Look like we could run with debug source, debug true being set. We can go ahead and run the get statement here. And we see the debug notifications, okay, session contents array, they're not set to anything, but since they're testing through the request, we don't have the request associated array or that note, that global in PHP. That's either PHP post or get. So we could just try submit equals one and see what happens here, right? Yep. Okay, looks like it's going to read the get variables just as well as it would have read the post variable. So we don't have to change the Python function that we're trying to run with requests. Now let's go ahead and set admin equal to one because we can do that just as easily. And now we have a session variable for admin being one. Perfect. So I'm going to assume if these websites are co located, looks like the session variables are probably just going to be, they're going to stay intact. So let's check out what our session cookie is in this website in the experimenter. And then let's try and use that as the string for our PHP session in the original page and see if we can actually log in as as admin in that. Let's try this. I'm just going to note that there. But let's change this back to URL. So we go to the original page and let's try with a cookie PHP session ID set to that same string. And let's check out what we get. Looks like I put that to the source. Let's go to the original page and this website is co located, blah, blah, blah, you're logged in as a regular user. Okay. So no dice on that one. Log in as admin to retrieve credentials for Natus 22. Do we need the same session already occurring? Let's comment that out and make sure that all happens. I would think maybe you need the session already occurring. No. Having equals one, debugging equals one, blah, blah, blah. Let's set a post request and make sure that actually happens, I guess. Let's post to experimenter and let's let's do this with post variables. If we need to whatever ways will double them up. There's nothing wrong with that. So data will equal that and submit can equal whatever admin can equal one. Let's try that. Let's try old session being set here because that's not going to let us in, is it? No. Okay. Let's grab that text then or whatever it did. Did I print it out in here? I did. So whatever that PHP session ID might be, we can pass that along to the original page, old session, and let's see if it runs. There we go. Cool. The way that I did that was I got the original session set up. Maybe we may not even need this post since we were doing with get earlier. Let's try that. Nope. Looks like we don't need to do it in post because again that request global in PHP will work just fine. It'll take either get or post variables. It includes them all. So after I've got that session already set up, I'm able to just steal the cookie from the original page, the experimenter, bring that over to the real level page, pass that along with the cookies, and it will say, okay, great, you're authenticated, you're logged in with that admin credential. Your admin, the credentials for the next level are Natus 22, and we'll keep moving. Save this as Natus 22, let's get the password in here. We don't need the experimenter variable anymore. Probably just use that and don't need the others, but that is that. That is Natus level 21. An interesting trick with an external page, hmm, don't know what this is doing. Looks like we'll check out Natus 22 in the next video, but hey, if you did like this video, please do press that like button. Maybe leave me a comment. Let me know what you think, what else you'd like to see, what else I could do better with how you solve this. If you're willing to subscribe and if you really want to support me, please just check me out on Patreon. On that note, a special shout out to those that support me already, Spencer Clark. Thank you so, so much for everything that you're sending along. You really help in supporting me in the channel. I offer a reward if you support anything. If you send in anything in Patreon, I'll give you a shout out for every video. And $5 and more, and I'll give you early access to whatever I can for what I upload to YouTube. Thanks for watching, guys. See you in the next video.