June 12, 2026
The Hint is Hidden in Plain Sight So is The Secret
OverTheWire Natas Level 3 → Level 4
Akshaykumar Kathirvelu
3 min read
The Secret That Robots Told Me When Google Couldn't.
Level 3 → Level 4: The Solve
THE SETUP
Challenge - OverTheWire :: Natas
Category - Web Security (Server-Side)
Level 3 → 4
URL http://natas3.natas.labs.overthewire.org
Credentials natas3 / 3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH
### Again?! Yep. No SSH. Your browser is your terminal.Challenge - OverTheWire :: Natas
Category - Web Security (Server-Side)
Level 3 → 4
URL http://natas3.natas.labs.overthewire.org
Credentials natas3 / 3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH
### Again?! Yep. No SSH. Your browser is your terminal.And here we go again "nothing on this page" same as previous level — nothing obvious on the surface.
THE HINT
Anyway you start inspecting page source and there it was! A comment said:
Obvious clue in one line which told me everything I needed to know.
THE APPROACH
The moment I read "not even Google", I figured it out — robots.txt.
If you're not familiar, look it up — robots.txt. It is a file that websites use to communicate with search engine crawlers. It tells bots like Googlebot which pages or directories they're allowed to index and which ones to skip. It lives at the root of a site and it's completely public — it has to be, otherwise crawlers couldn't read it.
Navigated to /robots.txt and as expected found another pathway:
http://natas3.natas.labs.overthewire.org/robots.txthttp://natas3.natas.labs.overthewire.org/robots.txt
A disallowed directive called /s3cr3t/ — not hiding something, just a neon sign pointing straight to it.
http://natas3.natas.labs.overthewire.org/s3cr3t/http://natas3.natas.labs.overthewire.org/s3cr3t/Navigated straight to /s3cr3t/. Directory listing was enabled (And again — we've seen this before), and contents of the folder was right there clearly visible in the browser. There was one file:
users.txtusers.txt
Clicked right into it. Voila! Password for natas4, sitting there in plain text — Not hidden anymore.
Password Found (Natas4)
QryZXc2e0zahULdHrtHxzyYkj59kUxLQ
found in: /s3cr3t/users.txt · method: directory browsing ·
tool: browser · Hidden in: robots.txtPassword Found (Natas4)
QryZXc2e0zahULdHrtHxzyYkj59kUxLQ
found in: /s3cr3t/users.txt · method: directory browsing ·
tool: browser · Hidden in: robots.txt
The same four questions I keep coming back to:
- What do I see? A blank page and a suspicious comment.
- What's hidden? A
robots.txtfile advertising a secret directory. - What can I manipulate? The URL: I can navigate anywhere I want, disallowed or not.
- What's the goal? Find the natas4 password. That's Done.
What I Actually Learned
Here's the thing that really stuck with me: robots.txt was designed to help search engines, not to hide things from humans. When you put a sensitive path in a Disallow entry, you're not protecting it — you're publishing its location indirectly. Anyone who knows can read robots.txt. That includes attackers, CTF players, and curious people like me.
This level hammered home that "hidden from Google" is not the same as "hidden from everyone". Security through obscurity doesn't work, and robots.txt is a perfect example of how trying to obscure something can actually expose it more than doing nothing at all.
Key Takeaways From Level 3→ Level 4
- Always check robots.txt, it's one of the first things security researchers (and attackers) look at
- Disallow entries are not considered to be access controls; they're just suggestions to crawlers that anyone can read
- Comments in source code can be unintentional hints — "not even Google" basically said "check robots.txt"
- Open directory listing continues to be a recurring theme in these levels
Level 3 → Level 4 shows how a file designed to help search engines can accidentally provide pathway to attackers straight access to your secrets. See you at Level 4 → Level 5.