Bruteforcing PHPSESSID: Python Web Hacking | Natas: OverTheWire (Level 18)
Key Takeaways
Demonstrates bruteforcing PHPSESSID using Python web hacking on Natas: OverTheWire (Level 18)
Full Transcript
what's up YouTube this is John Hammond and we're looking again at the natus war game from over the wire so now we're on level 18 and let's go ahead and run our script to see what it is that we are actually working with here looks like the page returns please log in with your admin account to retrieve credentials for natus 19 okay so this doesn't look like the sequel injection or the command execution that we had seen in some of the other levels maybe this is something new we have a username and password input fields here but let's take a look at the source code and try analyze what we can paste that into for our get request and now we can Diann to ties what that returns for us and remove all the break tags with some Find and Replace magic so the PHP code starts out telling us we have a max ID variable set to 640 in the comment here 6-4 you should be enough for everyone don't entirely know what that means just yet so we'll keep reading here's one function is valid admin login determines if the request username is equal to admin this method of authentication appears being safe and has been disabled for now okay so it just that function returns zero it pretty much does nothing just just return zero okay but that kind of nerfs our ability to log in as admin because if we were to pass a longest request with the username field just trying to log in as I'm and it wouldn't work for us so okay whatever that's not gonna do anything it just returns zero so this function is valid ID just returns whether or not it's a number the argument that's passed to it the ID is a number create ID user doesn't look like users actually use in this function but it does take advantage of this max ID variable it's global scope right on the outside and it creates a random number from 1 to 640 that's what that rand function does okay so create ID is kind of random debug messages we can use with a get parameter that's pretty handy to know in case it gives us any valuable information but my session start looks like it will determine whether or not a session ID already exists in the cookie a PHP session ID and if a valid or not and if that is the case it will go through with this code if not it does nothing there is no else statement with this it looks like so if a session hasn't already started looks like it will just say it fails or turned false otherwise it will create a new session determine if you're an admin and a bug ok looks like it closes that admin variable there such that session admin equal to zero ok so that locks us out again of being a band that still won't work right there's haze valid admin log and return zero such an admin being sent to zero so it a session was old admin flag set resets us so it looks like it never really lets us be that session admin yeah even this session admin equals zero but later on in this print credentials function it looks like it's trying to determine if such an admin is equal to one then it will say you're an admin in credentials the next level are here so we have to set session admin to one but we can't in this code place what we've read so far well otherwise we're logged in as regular loser a regular user sort log into admin to retrieve credentials huh if the session has started it will display that otherwise it will read they read the request for us session admin is going to be 0 because that is valid admin login is 0 and it will show the form if we haven't if we haven't logged in ok so let's just try it out let's go ahead and make a get request here we'll pass in the data make sure we actually post to the real page not the source code no changed URL up their username can equal please and password can be subscribe shameless self advertisement run this so we get here your login to the regular user log in as an admin to retrieve credentials for natus 19 what the heck okay I don't know why we aren't an admin other than the fact that I tried to log in as please subscribe so clearly we're not gonna be an admin just like that let's print out what cookies we have because it looked like in the source code it was showing us the PHP session variable PHP session ID being set to 260 so that must be what that source code gave us as the random number random between 1 and 6 40 but there's no way we could otherwise be an admin because it wouldn't it wouldn't let us use any of those like session admin variables so maybe is is one of these session IDs just just the admin ID I'm gonna do a little bit of research here let's fire up Firefox and I just wanted to show this to you because PHP session ID is something we should probably get to know I know there is a PHP session ID PHP calm like article on this thing there's got to be a session ID PHP SS ID will actually tell us what this thing is it looks like it just gets in sets session functions it won't tell us anything about what that PHP session ID is although then there is one and it looks like it has to be stored stack overflow PHP uses two methods of keeping track of sessions cookies are enabled like in your case it uses them okay so that must be what we're working with so looks like we have to change that cookie variable PHP session ID to one of the numbers between 1 and 640 because maybe one of them will be an admin ID so let's try that let's get the page with a session ID set to something else so let's get with cookies equals PHP session ID set to one right it's got to be a string here I don't need the cookies anymore so I'm pretty trusting it will return says you're logged in as regular a regular loser and let's actually move move forward from this here because we want to see okay that one clearly wasn't the admin user so what else can we get that might be we want to determine in a loop because we're getting the page over and over and over again with a new session ID if we are the admin so if you are an admin was the string that was in it right let's see content response dot text can just be the content variable that we're working with content actually probably want that down here print got it and then print the content just print trying ID or session ID and we will loop through for session ID in range of 1 to 640 we can go up to 1 641 since that will be inclusive here and let's run string of our session ID before we went to do this I should have actually checked that or saved that source code because I wanted to know what that would be that string because honestly honestly forget so let's just check let's just do one more get request to make sure that is the correct string determining if we are not an admin let's print response dot text DN to ties I really should just save this code I'm sorry I didn't you are an admin ok that works just fine for us good let's put this in a new pane in case we need it again and let's start the attack session ID get with the cookies PHP session ID being set as a string here getting the content determining if you are an admin is in the content if it is it will get it and then otherwise it will print trying session ID and let's see how this looks I'm gonna do this in the command line so we can Python natus 18 pi try 1 2 3 etc etc etc so I'll let this run and actually I should probably put a break when we get it and then print the session ID that we got now let's run this and I'll pause the video so role pauses recording so once it's done we can see what the password is so I ran through it and it didn't work so let's take a look at the code and see what's wrong oh we were sending that to the source code all along I'm a fool so that code probably would have worked I'm gonna let this positive video here pause the recording so I can see ok so the script returned now and I did get the correct session ID at ID number or admin ID at ID 138 so here we've got the password you wanna admin the credentials for next level are now to sign teen password this guy and that's it so the session ID we're passing in to our request but since that's not part of the session object it doesn't look like it's staying in the session object itself it looks like it's just going for that request so that's peculiar note and I really want to apologize about sending it to the wrong page up there with the index or still in the URL I'm sure you were probably screaming at me the entire time I need you to remember to change that but thank you guys for watching hope you enjoyed this let's go ahead and put this new new password in a new script let's put this in natus 19 and let's go and set and see what this level is asking us to do cool all right well hey thank you guys for watching hope you're enjoying these videos if you did like the video please do hit that like button leave me a comment let me know what you think what you like what I can do better what else you'd like to see please subscribe and if you really really want to support me floor head on over to my patreon account so thanks again guys I'll see you in a later video
Original Description
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: http://paypal.me/johnhammond010
GitHub: https://github.com/JohnHammond
Site: http://www.johnhammond.org
Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
The Impending Collapse of the Internet — And the Sovereign Cryptographic Standard That Will Save It
Medium · Cybersecurity
North Korea-linked npm packages impersonate Rollup polyfill tools to steal developer secrets
The Next Web AI
The x402 payment layer has a state-synchronization gap, and four agent-payment attacks fall out of it
Dev.to · Michael "Mike" K. Saleme
Write-up: Ether Tag (HTB)
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI