hacking, owasp, web application security

OverTheWire: Natas Level 2 – #appsec #webapp #websecurity #wargames

Another day, another challenge…

In today’s blog post we’re going to solve level 2 from the Natas wargame.

Let’s begin.

Going to the following link we see:

Natas2_WarGame_1

We’ve acquired the password for level 2 from the level 1 challenge (screenshot below):

Natas1_WarGame_3

Entering the username of “natas2” and password from the above screenshot we see the following:

Natas2_WarGame_2

Nothing on the page, eh… I don’t believe that.

Let’s try, right click view source and see what we get.

Natas2_WarGame_3

We notice there’s an image source of a pixel.

Clicking this link we see:

Natas2_WarGame_4

It truly is just a pixel. What if we remove the “pixel.png”? Maybe there are other files on the system. Let’s try it.

Removing the “pixel.png” and pressing Enter we see:

Natas2_WarGame_5

We see an extra file – users.txt. I wonder what’s in it.

Clicking users.txt, we noticed that it lists the different username and passwords. The one we want is the fourth row – natas3. We’ve found natas3 password!