Welcome back. In this post we’re going to continue on in the Natas wargame, provided by Over The Wire. This is a web-based wargame highlighting web security issues. Let’s get started.
Level 2
Upon logging into the level2 page with the password we acquired during the previous level, we see a message saying that there is nothing on this page. That’s great, but lets see if there is anything of use. View source! Upon viewing source we can see two links to directory structures. One is to the css file for Natas, and looking at the URL we might remember that’s the main URL of natas. This means that when we go there, there must exist some sort of index.html file, the default file which is loaded when a directory is accessed. Thus, we won’t be able to get a listing of the directory. However, if we look at the other link, “files/pixel.png”, we see that the local files directory is a directory we haven’t looked in yet. So, let’s go there and see if we can get a directory listing to find anything interesting. Hitting http://natas2.natas.labs.overthewire.org/files/ we get a directory listing of two files, pixel.png and users.txt. Looking in users.txt we see the password for the next level!
Moral of the story? Watch which directories are in a www view-able folder. Throw in an index.html if you don’t want a directory listing in a directory, or use something like .htaccess to limit access in specific directories, or turn off directory listing in general!
Level 3
Upon logging into the level3 web page, we see a message saying nothing is there, again. So let’s view source (this should be second nature by now). A comment says there are no information leaks, not even to Google. What could that mean?
Well, if you know how Google works (at least in the big picture), you might know that they “crawl” through the internet looking for pages so that they can index them and search through them. They also know that certain web owners may not want google searching through certain things. As such, Google and many other search engines will look for specific files for them which describe what they can search through and what they shouldn’t, on a given webpage. This might be what level3’s comment is talking about. If this file exists telling Google not to look in certain places, it will give us an idea of the directory structure of this level! This file is called robots.txt. Let’s look for this file ourselves!
Pointing our browser at robots.txt we see it specifies a directory which shouldn’t be searched. However, since this is just a request for search engines to not search it, it still allows for us users to load it up! Looking in this directory we see a single users.txt file with the password for the next level. Done!
Lesson? Robots.txt requests for search engines to not search through directories, it doesn’t disallow them to, nor does it disallow directory listings. Robots.txt is a polite request for someone not to do something, it isn’t a security measure!