Warning: This post contains a solution!
Only continue if:
1.) you want to see a possible alternative solution or
2.) you are stuck and need a hint!
Login using given credentials.
The message on the page is:
Access disallowed. You are visiting from "" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
After clicking "Refresh page" on the site, the message changes to:
Access disallowed. You are visiting from "http://natas4.natas.labs.overthewire.org/" while authorized users should come only from "http://natas5.natas.labs.overthewire.org/"
This means, that the page checks the "Referer"-Header value and want's it to be "http://natas5.natas.labs.overthewire.org/". This can be done using any tool that allows editing the HTTP-Header values.
I'm using Burp and add following to the Request-Header:
... Referer: http://natas5.natas.labs.overthewire.org/ ...
Access granted. The password for natas5 is iX6Ixxxxxxxxxxxxxxxxxxxxxxxxxxxx