hacking, owasp, web application security

OverTheWire: Natas Level 3 – #appsec #webapp #websecurity #wargames

Another day, anther challenge…

In today’s challenge we will solve level 3 from the Natas wargame. Let’s begin.

Going to the following link, and entering the username of “natas3” and password we retrieved from the second challenge we see:

Natas3_WarGame_1

Password from level 2:

Natas2_WarGame_6

Pressing Enter we see:

Natas3_WarGame_2

Doing a right click, view source we see:

Natas3_WarGame_3

Hmm… we have a hint. “No more information leaks!! Not even Google will find it this time…”

Knowing a thing or two about how Google indexes websites, I know that some websites use a robots.txt file. Let’s see if this website is using that.

Entering “robots.txt” at the end of the URL we see:

Natas3_WarGame_4

OK – the first parameter user-agent specifies that any agent is allowed. We’re disallowing the /s3cr3t/ folder. Let’s go to this folder and see what’s there…

Entering the /s3cret/ folder we see:

Natas3_WarGame_5

Hmm… there’s a users.txt file. Let’s see what’s there.

Natas3_WarGame_6

We found the password for level 4!