Oct. 8, 2020

Post Cover Gif animation

Res - THM Room

Howdy! Welcome to Git Happens write-up. Let’s see how we can compromise this room. I hope you enjoy it!

Scanning the machine

I start with Autorecon once again (referring to my last writeup). While it runs, let’s check if we have any webpage or app being served at the IP address of the target machine.

We do get a login form.

Login form

Let’s run gobuster as well.

We run goBuster and Autorecon

While these two are working, let’s see if we can find some information about git, since this room seems dedicated or based on it.

It is not crazy to assume this machine could have a git repository.

Turns out pubicly hosting your repository on a production website, by just cloning the repo, seems to be quite a bad idea. Long story short it seems git and other version control systems create a folder with a copy of the repository fo tracking. Meaning we can get full access to the code repository if the admin is not restricting access to that location.

If this seems interesting, I suggest reading this article I consulted.

So let’s see if we have access to a possible repository at /.git location:

We do have access!

Ok so far so good. Let’s see what we can find by looking around the repo a bit. Mmm it seems we cannot just browse around this repo, since any link I click is downloading a file (that we can read though).

The same article I pointed out earlier gives us a guide on what to try and do next. We need to try to download that repository so we can get our hands on it in a practical way.

Seems we can just use wget to get us a local copy of that repository. Let’s see how we do that:

wget --mirror -I .git {TARGET_IP}/.git/

Let’s run that:

We start to download a copy of the repo

If we navigate into the cloned repository in our local machine, now we can see all the information and browse around without issues:

the copied repository folders

I think we just probably need to browse around for the supersecret password to solve the room. Let’s give it a go then.

We can do a git status and we see some files were removed and can be recovered thanks to git version control.

We can see deleted files in the repository and restore them

Let’s compromise this repository

At this point we can keep manually looking for some clues or the supersecret key. But we need to do this in a better way, let’s google a bit and see if we can use any tool to scan repositories for keys, hashes, etc.

I found this site that lists some tools that we can try out. As you might have noticed, I don’t know yet how to exploit this room either. 😆

From the list two tools stand out to me, Git Hound and Truffle Hog I’ve seen mentioned around in some streams and videos but never really used them before.

I decided to try the Truffle Hog.

We run pip install truffleHog to install it, it seems.

Running it like this trufflehog /Directory/.git quickly returns quite a lot of results. Including a very interesting commit where a hash, username and algorithm used are mentioned:

Intersting results

However at this commit in time, the password is already hashed. Let’s see if we can find an older one.

There seems to be one that could be useful:

Even though that commit is about a CSS file, we can assume it was styling the page we want to look into.

Let’s show that commit by running git show {Commit_hash_id}. If you noticed each commit has this hash unique id.

we get the flag

That’s it if we look through that commit we can see the code where the password was hashed (in a later commit) it is unhashed in this one.

That’s our flag!

That’s it, I really hope you enjoyed this room like I did. Please leave a comment if you liked this writeup, or hated it. Or even if you ended up here by pure accident!

Happy hacking and thanks for stopping by!

comments powered by Disqus