Warning: This post contains a solution!
Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!
Login using given credentials.
Once logged in, a navigation menu is displayed.
Clicking "Home" or "About" displays a text and changes the URL.
From this behavior it can be assumed that "Home" and "About" are loaded using an include statement. To confirm this assumption it is possible, for example, to try to specify a dummy page name instead of one of the available pages. Calling
/index.php?page=bla returns the following:
Here it can be seen that an attempt is made to load "bla". This vulnerability is called Local File Inclusion (LFI). Now, to find the password for the next level, the path of the file with the password needs to be located. Fortunately, the path to this file is mentioned in a comment in the page source code.
<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
/index.php?page=../../../../etc/natas_webpass/natas8 returns the password for the next level: