Open in app

Sign in

Write

Sign in

TryHackMe | Git happens

Ricardo Ribas
4 min readMar 5, 2023

--

This is one (of many) walkthrough for the Git Happens CTF room. As always, I try to follow some simple enumeration steps to expose potential flaws from this article.

Enumeration

As usual, I use nmap to see which ports are open.

$ nmap -sCV $IP-ADDRESS

Starting Nmap 7.60 ( https://nmap.org ) at 2023-03-01 16:10 GMT
Nmap scan report for ip-10-10-137-1.eu-west-1.compute.internal (10.10.137.1)
Host is up (0.0018s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.0 (Ubuntu)
| http-git: 
|   $IP-ADDRESS:80/.git/
|     Git repository found!
|_    Repository description: Unnamed repository; edit this file 'description' to name the...
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!
MAC Address: 02:69:E3:C5:92:09 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds

After accessing the web server on a browser, I found a sign in page.

Afterwards, I tried to use gobuster to brute force some URIs to see if there was any hidden information in other files (or folders).

$ gobuster dir -u http://$IP-ADDRESS -x txt,php,git,js,py,html -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.80 seconds
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://IP-ADDRESS
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,php,git,js,py,html
[+] Timeout:        10s
===============================================================
2023/03/01 16:12:41 Starting gobuster
===============================================================
/.git/HEAD (Status: 200)
/css (Status: 301)
/dashboard.html (Status: 200)
/index.html (Status: 200)
/index.html (Status: 200)
===============================================================
2023/03/01 16:12:45 Finished
===============================================================

Nothing very interesting was found. 🤔 However, the other page that I’ve found was redirecting the user to the index page. Perhaps there was some sort of authentication validation there. Going back to the index.html page, I noticed an obfuscated script at the very bottom.

I pasted the code into a beautifier and copied it to a text editor. Feel free to use one of your choice. Something that quickly stand out were the existence of two methods: (1)login that was being triggered by the sign in page and (2) digest that was being called from the login method. My initial efforts were allocated to get to know more about them.

It seemed that the login method was grabbing the values from the login form, performing a digest on the password and finally compare it some credentials. In case of a positive match, the user is redirected to the dashboard page with value of login=1 in the document cookies.

However, I could get no further with this as the password was being digested. So, no way to reverse engineer it.

git happens

Yeah, right! From the gobuster output, there was a .git folder with all the git resources exposed to the internet. Navigating through the different folders I didn’t get any valuable information to carry on. I went for a little internet research about “dump git information”. After some minutes, I came out with a python script that would do exactly what it was supposed to do.

# FROM THM VM
$ git-dumper http://IP-ADDRESS/.git /root/git_dumper
$ cd git_dumper

total 44
drwxr-xr-x  4 root root 4096 Mar  3 16:39 .
drwxr-xr-x 46 root root 4096 Mar  3 16:32 ..
drwxr-xr-x  2 root root 4096 Mar  3 16:39 css
-rw-r--r--  1 root root 3775 Mar  3 16:39 dashboard.html
-rw-r--r--  1 root root 1115 Mar  3 16:39 default.conf
-rw-r--r--  1 root root  120 Mar  3 16:39 Dockerfile
drwxr-xr-x  7 root root 4096 Mar  3 16:39 .git
-rw-r--r--  1 root root  792 Mar  3 16:39 .gitlab-ci.yml
-rw-r--r--  1 root root 6890 Mar  3 16:39 index.html
-rw-r--r--  1 root root   54 Mar  3 16:32 README.md

It seemed that I have access to the repo files. Let’s see how many changes were made here.

# from git dumper result
git log

...

commit e56eaa8e29b589976f33d76bc58a0c4dfb9315b1
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Thu Jul 23 23:25:52 2020 +0200

    Obfuscated the source code.
    
    Hopefully security will be happy!

commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Thu Jul 23 23:17:43 2020 +0200

    Made the login page, boss!

commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand <hydragyrum@gmail.com>
Date:   Mon Jul 20 20:46:28 2020 +0000

    Initial commit

From the commits, a story was being told. Before deep diving into each commit in an isolated way, let’s pretend that developers added nice and self-explanatory commit messages. With that in mind, it seemed that the big boss asked for a login page. Let’s see what 395e087334d613d5e423cdf8f7be27196a360459 has to offer. By checking the sign-in HTML page something really interesting appeared.

<html>
  ...
  <script>
    function login() {
      let form = document.getElementById("login-form");
      console.log(form.elements);
      let username = form.elements["username"].value;
      let password = form.elements["password"].value;
      if (
        username === "admin" &&
        password === "Th1s_1s_4_L0ng_4nd_S3cur3_P4ssw0rd!"
      ) {
        document.cookie = "login=1";
        window.location.href = "/dashboard.html";
      } else {
        document.getElementById("error").innerHTML =
          "INVALID USERNAME OR PASSWORD!";
      }
    }
  </script>
  ...
<html>

Hydragyrum hardcoded some credentials and forgot to delete them before commit the changes. I tried to use that password as our “super secret password” and that surprisingly solved the exercise in hands.

Conclusion

This CTF was quite funny as it introduced a new tools that I didn’t know the existence of. Git dumper provided a nice and easy way to dump all information about a git repository. Additionally, this exercise also reminded me that the existence of good commit messages allow developers to quickly find potential bugs and different files. Kudos to hydragyrum to create this one! 👍

Thm Writeup
Ctf Writeup

--

--

Ricardo Ribas
Ricardo Ribas

Written by Ricardo Ribas

398 Followers
392 Following

Software Engineer passionate about rock climbing, yoga, gaming and travelling

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams