Recap of Last Lesson: We learned about the HTTP protocol and the different HTTP fields, an learned how to use a proxy to intercept HTTP requests.
Natas Level 5
Find the password to log into level 6.
- URL: http://natas5.natas.labs.overthewire.org/
- Access Disallowed
This scenario is not too different from the last one, and we can use the same methods to accomplish it. When we first arrive at Natas5, we get the “Access Disallowed” message. If you have not read the tutorial prior I highly suggest doing so. It lays out the foundation for the methods we will use here.
Now, last time they told us why we were not allowed. This time we do not know why we do not have access. To solve this we have to think of ways the server would know if you have access or not. Often times, there will be a login page, but we do not have one here. On that same train of thought, you may notice that when you log into a website, you don’t have to re-login every single time. Why is that? The website has some way of remembering you. How do websites remember? Well, one way is by using what are called “cookies.” If you want to do web hacking, you need to know what cookies are and how they are used. In particular, you may want to read the section on session management.
There are a number of ways to view the cookies on your system, but since we are using firefox we have many choices for add-ons that can do just this. I have used Cookieculler
, but most all of them will work for you. While you can use your cookie manager to modify the cookie, I will also discuss how to modify it in transit like we did before.Lets refresh the page like we did before and intercept the HTTP packet
. We can see there is a field for “cookie” and a number of different parameters. We need to find the one we want. Lucky for us, it is named something predictable, in this case it is “loggedin.”
You should see this as set to zero. Are you familiar with Boolean Expressions
? If not you should do a bit of reading. Simple put, boolean values are either True
. In this case zero equates to False, where a 1 will elicit a “true” response. Once we sent that packet off, we should see that we are “logged in” and the information we want
The key takeaway here is what cookies are, what functions they can provide, and how we can manipulate them. There are multiple ways to solve this, and I recommend trying modifying the cookie on your system, and also modifying it in transit. One difference to note is if you modify it on the wire it will not be stored, where as if you modify the cookie on your system it will stay that way.