The below walkthrough is for the new box from Try Hack Me. Basically we have a website with a git repository with various commits and we need to enumerate through the commits to find the super secret password.
Let's start with a version scan with scripts of all the major ports using nmap:
So we have a nginx web server running on port 80. We can also see that there is an unnamed git repository found in directory /.git. The website has the title “Super Awesome Site”.
Let’s head over to the website and take a look:
I tried some basic username and password enumerations such as admin & password, but nothing worked. Checking out the source code we can see that there is a lot of obfuscation especially the script. With my limited experience, there is no way I can do anything with this.
What we do know is that there is a git repository in directory /.git:
To pull and copy the repository to my local machine I will use a script called gitdumper.sh, which can be found at the below link.
https://raw.githubusercontent.com/internetwache/GitTools/master/Dumper/gitdumper.sh
Run the script as follows:
./gitdumper.sh http://[IP-Address]/.git/ [Output Directory]
In order to run git commands on the download depository, you need to run them from the directory which also contains the .git directory, otherwise you will receive the following error, “fatal: this operation must be run in a work tree.”
Once downloaded we can now run git commands; however, you will need to have git installed on your attacking machine, check this with:
git --version
Lets see what is on the master, we can do this with the command:
git checkout master
To start with I am interested in the index.html page as this is the login form, let get this file and view it with the following command:
git checkout index.html
The index.html will be added in our directory, viewing the index.html file we can see that it is the same as the page source view from the website.
What we need enumerate is the version history on what files have been committed. There are two ways we can do this.
Option 1:
Using the command:
git log
This will display all the commit history and lists the commits made in that repository in reverse chronological order; that is, the most recent commits show up first. As we move down the commit history, we can see various changes that have been made relating to the security of the website, from obfuscation to SHA-512. If we continue down given that the commits are in reverse chronological order, we get a good understanding of the changes made.
Starting from the bottom:
Made the login page, Boss
Obfuscated the source code
Security says obfuscation isn’t enough, use SHA-412
Re-obfuscate code to be really secure
As can be seen, each commit has a hash and we can view these using the following command:
git checkout [HASH]
There is a hint in the description of the room which mentions ‘Boss’ and in the above we can see a commit with the description, “Made the login page, boss”. As this was the first one, we hope that it is the original source code before any obfuscation was implemented.
The earlier version of the index.html now replaces the earlier one in our working directory. If we cat the new index.html file we can see that there is no obfuscation of the code and the username and password are in plan text.
For the final step enter the Username and Password into the login box and press return.
Option 2 — Another way
Instead of looking for a specific commit from the log, we could just check through every commit that has been made. To do this we can use the -p flag on the git log command.
git log -p
This is especially handy if you do not really know what you are looking for and need to check through every commit, it also saves a lot of time and duplication of using the git checkout [Hash] command.
Exploiting git was new to me and required a lot of Googling, I would serrious recommend checking out the official git documentation, especially what they call the book:
Ultimately I learn’t a lot from this box, a big thank you to the developer:
