We can use the credentials obtained from the previous post to log into Level 3. Upon logging, we are presented with a screen similar to that of Level 2:
Again, as always we will start by viewing the source of the page:
<html>
<head><link rel="stylesheet" type="text/css" href="http://www.overthewire.org/wargames/natas/level.css"></head>
<body>
<h1>natas3</h1>
<div id="content">
There is nothing on this page
<!-- No more information leaks!! Not even Google will find it this time... -->
</div>
</body></html>
We can see a comment embedded into the source code that mentions that "Not even Google will find it this time..." My first thought (which proved correct) was to check and see if a robots.txt file was present, since this determines if a web crawler (ie Google's) will "find" particular content.
We can see the contents of this file located at http://natas3.natas.labs.overthewire.org/robots.txt:
User-agent: *
Disallow: /s3cr3t/
Here we find a /s3cr3t directory, which is listable and contains the following:
Again, another "users.txt" file, which this time contains:
natas4:8ywPLDUB2yY2ujFnwGUdWWp8MT4yZrqz
And there we have it. We can use these credentials to log in to the next challenge. More writeups to come.
-Jordan
No comments:
Post a Comment