Monday, October 29, 2012

OvertheWire - Natas Wargame Level 3 Writeup

Level 3

We can use the credentials obtained from the previous post to log into Level 3. Upon logging, we are presented with a screen similar to that of Level 2:


Again, as always we will start by viewing the source of the page:

 <html>  
 <head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head>  
 <body>  
 <h1>natas3</h1>  
 <div id="content">  
 There is nothing on this page  
 <!-- No more information leaks!! Not even Google will find it this time... -->  
 </div>  
 </body></html>  

We can see a comment embedded into the source code that mentions that "Not even Google will find it this time..." My first thought (which proved correct) was to check and see if a robots.txt file was present, since this determines if a web crawler (ie Google's) will "find" particular content.

We can see the contents of this file located at http://natas3.natas.labs.overthewire.org/robots.txt:

 User-agent: *  
 Disallow: /s3cr3t/  

Here we find a /s3cr3t directory, which is listable and contains the following:


Again, another "users.txt" file, which this time contains:

 natas4:8ywPLDUB2yY2ujFnwGUdWWp8MT4yZrqz  

And there we have it. We can use these credentials to log in to the next challenge. More writeups to come.

-Jordan

No comments:

Post a Comment