Git Good

Challenge Description


TL;DR

  • Initial recon leads to robots.txt on the website with a /admin.html and /.git/ paths
  • The /.git path was not accessible directly, as the directory listing was not enabled
  • But checking any standard file like /.git/config would give a clue that version control repository was hosted in production
  • So with help of a gitTools we can recover all the source code of website
  • Source code has an database file with a weak password hash
  • Crack the password to login and we have the flag

Solution

Checking into robots.txt two paths were disallowed

User-agent: *
Disallow: /admin.html
Disallow: /.git/

Checking the /admin.html shows a login page but we still don’t have the credentials.

Checking out the /.git/ - Not found error

Cannot GET /.git/

From here, I was not really sure about what to do. It’s obvious that the challenge is related to git as challenge name indicates. I have no proper idea and was not able to remember that source code can even be retrived without directory listing enabled.

Then my friend @koimet, who was well aware about this, used the tool from internetwache called GitTools to dump the source code of the website (easy-peasy).

He used the following command:

./gitdumper.sh http://cgau.sdc.tf/.git/ ./<folder-name>

Once he got the source, searching for important stuff revealed users.db sqilte file with emails and password hashes

Quickly, reading the data using sqlite -

sqlite> .tables
users
sqlite> SELECT * FROM users;
1|aaron@cgau.sdc.tf|e04efcfda166ec49ba7af5092877030e
2|chris@cgau.sdc.tf|c7c8abd4980ff956910cc9665f74f661
3|yash@cgau.sdc.tf|b4bf4e746ab3f2a77173d75dd18e591d
4|rj@cgau.sdc.tf|5a321155e7afbf0cfacf1b9d22742889
5|shawn@cgau.sdc.tf|a8252b3bbf4f3ed81dbcdcca78c6eb35
sqlite> 

Cracking the first hash using hashes.com, we get the password which is weakpassword

Cool. Now back to login page with the email and the password!

Yay! We got the flag!


Flag

sdctf{1298754_Y0U_G07_g00D!}


Takeaways

  • Check if the website has version control repos in the production
  • Dig into every part of the source code to exploit more!



Happy Hacking!



Special thanks to my friend @koimet for being a big part of this challenge.

Feel free to provide feedback.