hacking, owasp, web application security

OverTheWire: Natas Level 2 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post we’re going to solve level 2 from the Natas wargame.

Let’s begin.

Going to the following link we see:


We’ve acquired the password for level 2 from the level 1 challenge (screenshot below):


Entering the username of “natas2” and password from the above screenshot we see the following:


Nothing on the page, eh… I don’t believe that.

Let’s try, right click view source and see what we get.


We notice there’s an image source of a pixel.

Clicking this link we see:


It truly is just a pixel. What if we remove the “pixel.png”? Maybe there are other files on the system. Let’s try it.

Removing the “pixel.png” and pressing Enter we see:


We see an extra file – users.txt. I wonder what’s in it.

Clicking users.txt, we noticed that it lists the different username and passwords. The one we want is the fourth row – natas3. We’ve found natas3 password!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s