A HUGE selection of challenges with a range of difficulty. Really enjoyed this and managed to complete a lot of the easier challenges; great sense of achievement completing the “Meet The Team” challenge and learning about Git Internals.
The Mission
Intro – first flag located by Viewing Source of page – flag{48e117a1464c3202714dc9a350533a59}
Bionic – flag located in the robots.txt file – flag{33b5240485dda77430d3de22996297a1}
Meet The Team – this is where it got a little more tricky.
Navigating to the disallowed page in robots.txt, we find that the content has been redacted for security reasons. However, the source code for various pages suggests that the source repository is exposed to the internet.
I found this article on Git incredibly helpful as I tried to find the solution.
We start by making an empty git repo on our machine
mkdir git-tests
#navigate into the new folder
cd git-tests
#initialise the repository
git init
The new repository is now initialised and can be used to run git commands.
Git objects are stored by SHA1 hash, with first 2 chars of the hash value forming the folder name, and the remainder the filename.
A change log can be obtained from the site repository at https://constellations.page/.git/logs/HEAD.
We now work through each hash value, making a local directory for each object, downloading it and using git cat-file, looking for “blobs” (data files) as follows:
#make a local directory for the object
mkdir .git/objects/11
#download the object
curl https://constellations.page/.git/objects/11/42cc3145fdba8d9eb8f9c9e7ee79bdfda64d9a --output ./.git/objects/11/42cc3145fdba8d9eb8f9c9e7ee79bdfda64d9a
#view the object (note git only needs the first few characters of the SHA1 hash
git cat-file -p 1142cc
Repeat the process, following trees to locate “blobs” of data.
Starting from the top of the log, I found 100644 blob aa133c2b96c58dc78f775cc02632a9a4685e8b46 meet-the-team.html – an unredacted list of the team but no flag!
- Orion Morra
- Lyra Patte
- Leo Rison
- Gemini Coley
- Hercules Scoxland
- Vela Leray
- Pavo Welly
- Gus Rodry
I should have started at the end of the log and worked backwards!
Newer blob 8257067778403187030c701b782e25a85390f899 when reconstructed has flag:
flag{4063962f3a52f923ddb4411c139dd24c}
New challenges now open up for certain members of the team, inviting us to hunt flags on their socials.
Orion – Orion Morra has a Twitter account – @OrionMorra
Browsing through his profile we find an image:
The handwritten flag can be clearly seen on the piece of paper on the desk. However if you look carefully, you can also see a post it note reflected in the monitor screen. Look closer still and you see this has a username “orion” and password “stars4love4life”. These are needed for a later challenge (I didn’t complete it, but the credentials worked). The words are reversed and it seems this proved tricky enough that on the final day of the challenge they posted a much clearer image on the Twitter feed!
Lyra – Lyra Patte has a Twitter account @LyraPatte
Browsing through the profile, we find she has posted a link from the website:
https://constellations.page/constellations-documents/1/
The /1/ is an indicator that we be able to leverage some simple file inclusion. Incrementing the number, we find a page marked “INTERNAL DOC ONLY” at https://constellations.page/constellations-documents/5/
This seems to contain some usernames and a list of “default passwords” which might prove useful for a later challenge.
There is also a flag flag{bd869e6193c27308d2fd3ad4b427e8c3}
Leo – Leo has an Instagram account at @_leorison
Browsing through Leo’s Insta posts we find a QR Code, which when scanned coughs up the flag flag{636db5f4f0e36908a4f1a4edc5b0676e} and Leo’s password: “constelleorising”
Gus – Gus Rodry had a GitHub account. The flag was in the development folder flag{84d5cc7e162895fa0a5834f1efdd0b32}
There was also a flag on the Constellations Twitter feed but I did not find a use for it flag{e483bffafbb0db5eabc121846b455bc7}
Hydraulic – use the usernames and passwords from Lyra challenge
#Brute Force the ssh interface using Hydra
hydra -L users -P passwords ssh://challenge.nahamcon.com:30164
RESULT1 - login:pavo password: starsinthesky
#flag.txt is in the home folder
#flag{cadbbfd75d2547700221f8c2588e026e}
Sensible – I never solved this, but figured it was something to do with the Ansible playbook found in /opt/ folder. This playbook appeared to use an Ansible feature called “become”, alongside what I believe were encrypted credentials. I tried to write my own ansible script to become root using these credentials and locate the flag but couldn’t quite get it to work, largely because I could not find any digestible guides on using Ansible.
Other Challenges
Rules – flag is in the source of the page – flag{90bc54705794a62015369fd8e86e557b}
Shoelaces – an image of some shoelaces – just use strings from the CLI – flag{137288e960a3ae9b148e8a7db16a69b0}
esab64 – use CyberChef
Recipe: Reverse -> Decode Base 64 -> Reverse
This gives the flag which I forgot to write down.
Buzz
file buzz
#identifies compressed file
xxd buzz | head
#identifies file header as 1f, which is gzip
mv buzz buzz.gz
gunzip buzz.gz
cat buzz
flag{b3a33db7ba04c4c9052ea06d9ff17869}
Veebee
Can’t remember how I identified the file type, maybe same way I did Buzz or possibly just guessed from challenge name. The file is a .vbe, and encoded Visual Basic Script.
Found a suitable decoder on github
Cloned the repository to my local machine and ran using python3. The decoded file contains the flag flag{f805593d933f5433f2a04f082f400d8c}
Eighth Circle
I didn’t have high expectation for myself on this one, but the challenge text mentioned hell, and I remembered Dante’s Inferno representing hell as several circles. Some research identified the eighth circle as Malbolge. A bit more research uncovered that Malbolge is the name of a niche programming language.
I found this online decoder
This gave the flag flag{bf201f669b8c4adf8b91f09165ec8c5c}
Abyss
Accessing this challenge through SSH we are faced with a stream of characters. However, if you are patient and watch carefully you can simply hit CTRL C at just the right time and get the flag. flag{db758a0cc25523993416c305ef15f9ad}
mrn00b0t 