Server-side security war games: Part 2

Use the username “natas2” and the password you obtained in level 1.

There is nothing on the page, nor anything “in” the page, if you look in the source.

Maybe there’s something in one of those external resources we can use. There’s a CSS file, and an image. The CSS file was always there, but the image is new, so let’s see if we can exploit that.

Copy the src for the image, and paste it into the address bar, after the domain part. The full URL is

The image itself is nothing helpful, but sometimes server misconfiguration can leak information about other files on the server. If you remove the pixel.png part, you’ll see a directory listing. You can see there’s a file containing the password. Open that, and use it to access the next level.

Lessons Learned

Misconfigured servers can be a problematic source of data leaks. Make sure you understand how the server you use can be configured to allow or deny access to sensitive files, or directory listings.