Natas 18: Weak Session ID Exploitation
Welcome to level 18 of OverTheWire’s Natas Wargame. Like the previous articles, we’ll go through this level to determine the vulnerability and exploit it to get the next level’s password. Start by booting your attack machine and start OWASP ZAP and the browser of your choice.
Natas 18 presents us with a form to obtain the password. For each attempt it gives us the message that we’re a regular user. Taking a closer look (without looking at the source code) tells us very little.
Heading back to ZAP and taking a look at the requests and responses the PHPSESSID stands to attention.
Seems it’s a simple arbitrary number. We’ll use the Fuzzer present in ZAP to fiddle with the requests from 1 to 1000. First select the last request, righ-click it and go to Attack->Fuzz
Now select the PHPSESSID value and click the Add button.
In the new window click Add and select the Payload type to Numberzz from 1 to 1000.
Click Add and finally click Start Fuzzer. ZAP will generate 1000 requests with all the numbers we chose and will get 1000 responses. If everything went accordingly, we should have 999 messages stating we’re a regular user and 1 response with the flag. Look for the diference in the response body:
