Rating:
# Bionic
#osint #nmap #curl
```md
Thank you for taking on The Mission. You can begin by exploring the CONSTELLATIONS public website, [constellations.page](https://constellations.page/).
CONSTELLATIONS has "tried" to reduce their attack surface by offering just a static website. But you might find some low-hanging fruit to get you started.
You should find the flag for this challenge `ON THIS constellations.page website.`
With the flag of this challenge, you should also find a new URL that will assist in the next challenge.
After solving this challenge, you may need to refresh the page to see the newly unlocked challenges.
```
When looking at the source of the web page, we find a comment letting us know that there might be some interesting information available to us - _somewhere_.
```html
```
After looking around a bit, I decided to run an NMAP scan against the site. This provided some very useful information towards solving this part of the mission:
```
sudo nmap -sS -A -v -p 80, 433 -o constellation.page.nmap 34.117.193.93
...
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-git:
| 34.117.193.93:80/.git/
| Git repository found!
| .git/config matched patterns 'user'
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: Management said I need to remove the team details so I redac...
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
| http-robots.txt: 1 disallowed entry
|_/meet-the-team.html
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: CONSTELLATIONS
```
I could not view the `.git/` folder found in the nmap scan, but I could curl some of the normal files found within a .git-folder.
```
$ curl -v 34.117.193.93:80/.git/config
* Trying 34.117.193.93:80...
* Connected to 34.117.193.93 (34.117.193.93) port 80 (#0)
> GET /.git/config HTTP/1.1
> Host: 34.117.193.93
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 13 Mar 2021 13:31:13 GMT
< Server: Apache/2.4.25 (Debian)
< Last-Modified: Tue, 23 Feb 2021 23:53:44 GMT
< ETag: "9c-5bc09a0ea7200"
< Accept-Ranges: bytes
< Content-Length: 156
< Via: 1.1 google
<
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[user]
name = Leo Rison
email = [email protected]
* Connection #0 to host 34.117.193.93 left intact
```
This gave me a new mail and an email address - saved those for later. Then, to have a look at the latest commits:
```sh
curl -v 34.117.193.93:80/.git/COMMIT_EDITMSG
* Trying 34.117.193.93:80...
* Connected to 34.117.193.93 (34.117.193.93) port 80 (#0)
> GET /.git/COMMIT_EDITMSG HTTP/1.1
> Host: 34.117.193.93
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 13 Mar 2021 13:43:39 GMT
< Server: Apache/2.4.25 (Debian)
< Last-Modified: Wed, 24 Feb 2021 00:20:18 GMT
< ETag: "162-5bc09ffecf480"
< Accept-Ranges: bytes
< Content-Length: 354
< Via: 1.1 google
<
Management said I need to remove the team details so I redacted that page and added it to robots.txt
# Please enter the commit message for your changes. Lines starting
# with '#' will be ignored, and an empty message aborts the commit.
#
# HEAD detached from 1142cc3
# Changes to be committed:
# modified: meet-the-team.html
# new file: robots.txt
#
* Connection #0 to host 34.117.193.93 left intact
```
Well, I did see a `robots.txt` mentioned in the nmap scan as well - so maybe that is something to check out then. And indeed, curled it and we got our flag!
```
$ curl https://constellations.page/robots.txt
User-agent: *
Disallow: /meet-the-team.html
flag{33b5240485dda77430d3de22996297a1} # this flag is for `Bionic`
```
_Note: I did not use `gobuster` or `nikto` scans as the CTF organizers specifically asked people not to use automated tools._