Try   HackMD

San Diego CTF 2021 : Git Good

Sun, May 10, 2021 10:53 PM

tags: CTF web git hashes weak-passwords

Challenge Description

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →


TL;DR

  • Initial recon leads to robots.txt on the website with a /admin.html and /.git/ paths
  • The /.git path was not accessible directly, as the directory listing was not enabled
  • But checking any standard file like /.git/config would give a clue that version control repository was hosted in production
  • So with help of a gitTools we can recover all the source code of website
  • Source code has an database file with a weak password hash
  • Crack the password to login and we have the flag

Solution

Checking into robots.txt two paths were disallowed

User-agent: *
Disallow: /admin.html
Disallow: /.git/

Checking the /admin.html shows a login page but we still don't have the credentials.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Checking out the /.git/ - Not found error

Cannot GET /.git/

From here, I was not really sure about what to do. It's obvious that the challenge is related to git as challenge name indicates. I have no proper idea and was not able to remember that source code can even be retrived without directory listing enabled.

Then my friend @koimet, who was well aware about this, used the tool from internetwache called GitTools to dump the source code of the website (easy-peasy).

He used the following command:

./gitdumper.sh http://cgau.sdc.tf/.git/ ./<folder-name>

Once he got the source, searching for important stuff revealed users.db sqilte file with emails and password hashes

Quickly, reading the data using sqlite -

sqlite> .tables
users
sqlite> SELECT * FROM users;
1|aaron@cgau.sdc.tf|e04efcfda166ec49ba7af5092877030e
2|chris@cgau.sdc.tf|c7c8abd4980ff956910cc9665f74f661
3|yash@cgau.sdc.tf|b4bf4e746ab3f2a77173d75dd18e591d
4|rj@cgau.sdc.tf|5a321155e7afbf0cfacf1b9d22742889
5|shawn@cgau.sdc.tf|a8252b3bbf4f3ed81dbcdcca78c6eb35
sqlite>

Cracking the first hash using hashes.com, we get the password which is weakpassword

Cool. Now back to login page with the email and the password!

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Yay! We got the flag!


Flag

sdctf{1298754_Y0U_G07_g00D!}


Takeaways

  • Check if the website has version control repos in the production
  • Dig into every part of the source code to exploit more!


Happy Hacking!



Special thanks to my friend @koimet for being a big part of this challenge.
Feel free to provide feedback.
Twitter
Discord

Last changed by 
 
Jokr
I am a hacker. I participate in CTF competitions. I publish my research, write-ups and security stuff.
0
1
1055

Read more

San Diego CTF 2021 : Apollo 1337

[time=Sun, May 09, 2021 2:09 AM] Challenge Description TL;DR The website&apos;s interface seems to be down. While investigating the network, website uses an API with the path /api/status?verbose= Setting parameter verbose to any value, unlocks other API paths Investigating the responses and crafting a right request would launch the rocket

May 10, 2021
San Diego CTF 2021 : GETS Request

[time=Sun, May 10, 2021 7:11 PM] Challenge Description Disclaimer I did not solve the challenge in time I found the solution on discord, later This write-up helps you understand the detailed solution

May 10, 2021
Read more from Jokr
Published on HackMD