Skip to content

Git Happens

Starting information

The only guidance we have starting this room is the prompt Find the Super Secret Password.

export ip=10.10.51.156

Recon / Enumeration

Starting with a basic port scan: nmap $ip We find that port 80 is open, so I'll take a look in the browser.

This brings us to a login page:

image

In the bottom of this page's source, I noticed an unusual and very long script block:

image

It seems like this could be an obfuscated piece of code, but since I'm not sure what to make of it I'll poke around a bit more first.

With a more comprehensive scan of port 80 (nmap -sVC -T4 $ip -p80 -oN full_80.nmap), I discovered /.git/ which seems to expose the .git directory of the webpage repository.

image

Exploring /.git /

I downloaded a local copy of the website, including this .git directory using wget --recursive $ip/.git and looked through the files for any useful information.

With some research and looking inside refs, I'm learning that we can use git to interactively get information from the repository.

image

This is an interesting start, but I decided to use GitTools to get a bit more support in automating this discovery process. (It turns out I didn't really need the features of GitTools here, but it's still good to know about for the future).

After cloning this repo, I had success running ./GitTools/Dumper/gitdumper.sh 10.10.51.156/.git/ dumper_out

image

Running git status in my newly cloned directory ,dumper_out, (which I now realize I could have done without GitTools) I find that the most recent changes deleted several files. We can restore these files with git checkout -- . README.md reads this, which makes me think we're heading in the right direction: 

# git-fail

Sometimes, bad things happen to good sites

Among these restored files, dashboard.html has some interesting content, although like the obfuscated string earlier, I'm not sure what to make of it.

image

I finally decided to take a look at the commit history with git log, and I found some very informative commit messages:

image

I'll checkout the commit before obfuscation with git checkout 395e087334d613d5e423cdf8f7be27196a360459 . Now revisiting index.html, we find some credentials hardcoded in the page. Although the web app doesn't actually let us log in, as we saw in dashboard.html earlier, we should be able to use the login password as the flag, which finishes the room!

Closing thoughts

I have a lot of experience using Git for programming projects between personal life and my college coursework, and this was a great way to reinforce that knowledge with a new goal. It has me considering a few ideas including the significance of permanence online, having good security from the start (the concept of secure by design vs bolted on security), and perhaps being a little more subtle with commit messages!