hacking, owasp, web application security

OverTheWire: Natas Level 3 – #appsec #webapp #websecurity #wargames

Another day, anther challenge…

In today’s challenge we will solve level 3 from the Natas wargame. Let’s begin.

Going to the following link, and entering the username of “natas3” and password we retrieved from the second challenge we see:


Password from level 2:


Pressing Enter we see:


Doing a right click, view source we see:


Hmm… we have a hint. “No more information leaks!! Not even Google will find it this time…”

Knowing a thing or two about how Google indexes websites, I know that some websites use a robots.txt file. Let’s see if this website is using that.

Entering “robots.txt” at the end of the URL we see:


OK – the first parameter user-agent specifies that any agent is allowed. We’re disallowing the /s3cr3t/ folder. Let’s go to this folder and see what’s there…

Entering the /s3cret/ folder we see:


Hmm… there’s a users.txt file. Let’s see what’s there.


We found the password for level 4!