Challange: Its actually not really a challange, just some information that the pages gives you. Ill still keep it calling challange.
Access disallowed. You are visiting from “” while authorized users should come only from “http://natas5.natas.labs.overthewire.org/”
Refresh page

Solving it:
Once and again, lets see the html code

<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="https://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="https://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="https://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas4", "pass": "Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ" };</script></head>
<body>
<h1>natas4</h1>
<div id="content">

Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
<br/>
<div id="viewsource"><a href="index.php">Refresh page</a></div>
</div>
</body>
</html>

Seeing this, we probably need to have the referer page set to http://natas5.natas.labs.overthewire.org/. Lets see if we can do this in the developer tools, otherwise we should startup Kali and do this with Burpsuite. I could not find anything in the developer console, so I started up my Kali machine to do the task. Running burp, relogging and then turning on the proxy while refreshing the page gives us the following request:

As we can see the referer says http://natas4.natas.labs.overthewire.org/index.php, lets change this to: http://natas5.natas.labs.overthewire.org/ and click forward a couple times so the request go through and any other requests. Going back to firefox we are greeted with the login of natas5

Leave a Reply

Your email address will not be published. Required fields are marked *