Challenge Description
TL;DR
- Initial recon leads to robots.txt on the website with a /admin.html and /.git/ paths
- The /.git path was not accessible directly, as the directory listing was not enabled
- But checking any standard file like /.git/config would give a clue that version control repository was hosted in production
- So with help of a gitTools we can recover all the source code of website
- Source code has an database file with a weak password hash
- Crack the password to login and we have the flag
Solution
Checking into robots.txt two paths were disallowed
User-agent: *
Disallow: /admin.html
Disallow: /.git/
Checking the /admin.html shows a login page but we still don’t have the credentials.
Checking out the /.git/ - Not found error
Cannot GET /.git/
From here, I was not really sure about what to do. It’s obvious that the challenge is related to git as challenge name indicates. I have no proper idea and was not able to remember that source code can even be retrived without directory listing enabled.
Then my friend @koimet, who was well aware about this, used the tool from internetwache called GitTools to dump the source code of the website (easy-peasy).
He used the following command:
./gitdumper.sh http://cgau.sdc.tf/.git/ ./<folder-name>
Once he got the source, searching for important stuff revealed users.db sqilte file with emails and password hashes
Quickly, reading the data using sqlite -
sqlite> .tables
users
sqlite> SELECT * FROM users;
1|aaron@cgau.sdc.tf|e04efcfda166ec49ba7af5092877030e
2|chris@cgau.sdc.tf|c7c8abd4980ff956910cc9665f74f661
3|yash@cgau.sdc.tf|b4bf4e746ab3f2a77173d75dd18e591d
4|rj@cgau.sdc.tf|5a321155e7afbf0cfacf1b9d22742889
5|shawn@cgau.sdc.tf|a8252b3bbf4f3ed81dbcdcca78c6eb35
sqlite>
Cracking the first hash using hashes.com, we get the password which is weakpassword
Cool. Now back to login page with the email and the password!
Yay! We got the flag!
Flag
sdctf{1298754_Y0U_G07_g00D!}
Takeaways
- Check if the website has version control repos in the production
- Dig into every part of the source code to exploit more!
Happy Hacking!
Special thanks to my friend @koimet for being a big part of this challenge.
Feel free to provide feedback.