Upon loading level 4, we’re met with a message that tells us we’re denied access. Valid vistors should be coming from natas5. Obviously, we can’t access that URL yet, lacking either the ability to see the future or a handy time machine. So how does the page know where we’re coming from? That would be the referer attribute in the HTTP request header. Modern browsers being as developer friendly as they are, we can hit F12 and load up the console. In firefox, I can navigate over the network tab and look at the various requests used to load the page. Identifying the request for index.php, we can edit the headers and then resend the request. Adding Referer
http://natas5.natas.labs.overthewire.org/ to the header gives a response with the desired effect, the password for natas5.