Git Good

Challenge Description


  • Initial recon leads to robots.txt on the website with a /admin.html and /.git/ paths
  • The /.git path was not accessible directly, as the directory listing was not enabled
  • But checking any standard file like /.git/config would give a clue that version control repository was hosted in production
  • So with help of a gitTools we can recover all the source code of website
  • Source code has an database file with a weak password hash
  • Crack the password to login and we have the flag


Checking into robots.txt two paths were disallowed

User-agent: *
Disallow: /admin.html
Disallow: /.git/

Checking the /admin.html shows a login page but we still don’t have the credentials.

Checking out the /.git/ - Not found error

Cannot GET /.git/

From here, I was not really sure about what to do. It’s obvious that the challenge is related to git as challenge name indicates. I have no proper idea and was not able to remember that source code can even be retrived without directory listing enabled.

Then my friend @koimet, who was well aware about this, used the tool from internetwache called GitTools to dump the source code of the website (easy-peasy).

He used the following command:

./ ./<folder-name>

Once he got the source, searching for important stuff revealed users.db sqilte file with emails and password hashes

Quickly, reading the data using sqlite -

sqlite> .tables
sqlite> SELECT * FROM users;

Cracking the first hash using, we get the password which is weakpassword

Cool. Now back to login page with the email and the password!

Yay! We got the flag!




  • Check if the website has version control repos in the production
  • Dig into every part of the source code to exploit more!

Happy Hacking!

Special thanks to my friend @koimet for being a big part of this challenge.

Feel free to provide feedback.