DEV Community

Cover image for How OverTheWire's Natas Humbled Me in 4 Levels or Less
ekko1500
ekko1500

Posted on

How OverTheWire's Natas Humbled Me in 4 Levels or Less

#beginners #devjournal #learning #security

By: Me, a person who definitely cried a little

Date: Today, sadly

Day 1: Confidence is a Trap

I started Natas thinking, "It's just web security. I've used a browser before. How hard can it be?"

Famous last words.

Level 0 and 1 were fine. Base64 decoding? Please. I'm basically a hacker already.

Then Level 2 happened.

The PNG That Broke Me

I saw a pixel.png in the source code and thought, "Aha! Steganography!"

What followed was:

  • Trying to wget the file and getting a 401 Unauthorized (because I forgot the credentials... twice)
  • Finally getting credentials from Level 1, then facing a DNS resolution failure (thanks, my ISP)
  • Discovering my WSL had no sudo (turns out I wasn't even in WSL—I was in Git Bash like a lost child)
  • Installing exiftool after 45 minutes of dependency hell
  • Running exiftool pixel.png and getting... absolutely nothing
  • Trying strings, binwalk, and even a hex editor—still nothing
  • Finally admitting defeat and asking for help

The answer?

The PNG was a tracking pixel. 1x1. Transparent. Empty.

The real password was sitting in users.txt in the same directory, visible to anyone who bothered to look at the file listing.

I spent 6 hours analyzing nothing.

Level 3: Google's Gift to Idiots (Me)

Level 3's source code had a comment:

"Not even Google will find it this time..."

I stared at it for 10 minutes. Then I remembered: robots.txt.

One quick visit to /robots.txt and I saw:

Disallow: /s3cr3t/
Enter fullscreen mode Exit fullscreen mode

I literally facepalmed. So loud my neighbor asked if I was okay.

Found the hidden directory. Found users.txt. Found the password for Level 4.

That took 90 seconds.

Lessons Learned (The Hard Way)

Lesson Why It Hurt
Read the directory listing first Because the answer is rarely in a blank PNG
Don't ignore source code comments They're not flavor text—they're hints
Google doesn't index everything But robots.txt tells you exactly what Google was told to ignore
WSL is not magic You actually have to open it. Git Bash is not Linux.
Ask for help before hour 5 My ego cost me 6 hours of my life

Final Thoughts

I'm only on Level 3 and I've already:

  • Misdiagnosed a tracking pixel as a steganography challenge
  • Fought with DNS, WSL, and my own pride
  • Learned that robots.txt exists (should've known that already)
  • Realized I'm not as smart as I thought I was

But I'm still going.

Natas 4 tomorrow. Maybe I'll actually read the source code this time.

PSA to Future Me (and You)

If you're stuck on a Natas level and you find yourself installing forensic tools...

Stop.

Check the directory listing first. Read the source code again. Look for robots.txt.

The answer is rarely encrypted. It's usually just hidden in plain sight, laughing at you.

End of day. Time to touch grass.

Top comments (0)