Git Happens
Starting information
The only guidance we have starting this room is the prompt Find the Super Secret Password
.
export ip=10.10.51.156
Recon / Enumeration
Starting with a basic port scan: nmap $ip
We find that port 80 is open, so I'll take a look in the browser.
This brings us to a login page:
In the bottom of this page's source, I noticed an unusual and very long script block:
It seems like this could be an obfuscated piece of code, but since I'm not sure what to make of it I'll poke around a bit more first.
With a more comprehensive scan of port 80 (nmap -sVC -T4 $ip -p80 -oN full_80.nmap
), I discovered /.git/ which seems to expose the .git directory of the webpage repository.
Exploring /.git /
I downloaded a local copy of the website, including this .git directory using wget --recursive $ip/.git
and looked through the files for any useful information.
With some research and looking inside refs
, I'm learning that we can use git to interactively get information from the repository.
This is an interesting start, but I decided to use GitTools to get a bit more support in automating this discovery process. (It turns out I didn't really need the features of GitTools here, but it's still good to know about for the future).
After cloning this repo, I had success running ./GitTools/Dumper/gitdumper.sh 10.10.51.156/.git/ dumper_out
Running git status
in my newly cloned directory ,dumper_out
, (which I now realize I could have done without GitTools) I find that the most recent changes deleted several files. We can restore these files with git checkout -- .
README.md
reads this, which makes me think we're heading in the right direction:
Among these restored files, dashboard.html
has some interesting content, although like the obfuscated string earlier, I'm not sure what to make of it.
I finally decided to take a look at the commit history with git log
, and I found some very informative commit messages:
I'll checkout the commit before obfuscation with git checkout 395e087334d613d5e423cdf8f7be27196a360459 .
Now revisiting index.html
, we find some credentials hardcoded in the page. Although the web app doesn't actually let us log in, as we saw in dashboard.html
earlier, we should be able to use the login password as the flag, which finishes the room!
Closing thoughts
I have a lot of experience using Git for programming projects between personal life and my college coursework, and this was a great way to reinforce that knowledge with a new goal. It has me considering a few ideas including the significance of permanence online, having good security from the start (the concept of secure by design vs bolted on security), and perhaps being a little more subtle with commit messages!