We can use the credentials obtained from the previous post to log into Level 3. Upon logging, we are presented with a screen similar to that of Level 2:
Again, as always we will start by viewing the source of the page:
<html> <head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head> <body> <h1>natas3</h1> <div id="content"> There is nothing on this page <!-- No more information leaks!! Not even Google will find it this time... --> </div> </body></html>
We can see a comment embedded into the source code that mentions that "Not even Google will find it this time..." My first thought (which proved correct) was to check and see if a robots.txt file was present, since this determines if a web crawler (ie Google's) will "find" particular content.
We can see the contents of this file located at http://natas3.natas.labs.overthewire.org/robots.txt:
User-agent: * Disallow: /s3cr3t/
Here we find a /s3cr3t directory, which is listable and contains the following:
Again, another "users.txt" file, which this time contains:
And there we have it. We can use these credentials to log in to the next challenge. More writeups to come.