# San Diego CTF 2021 : Git Good > [time=Sun, May 10, 2021 10:53 PM] ###### tags: `CTF` `web` `git` `hashes` `weak-passwords` ## Challenge Description  <br> ## TL;DR * Initial recon leads to robots.txt on the website with a **/admin.html** and **/.git/** paths * The **/.git** path was not accessible directly, as the directory listing was not enabled * But checking any standard file like **/.git/config** would give a clue that version control repository was hosted in production * So with help of a **gitTools** we can recover all the source code of website * Source code has an database file with a weak password hash * Crack the password to login and we have the flag <br> ## Solution Checking into robots.txt two paths were disallowed ``` User-agent: * Disallow: /admin.html Disallow: /.git/ ``` Checking the **/admin.html** shows a login page but we still don't have the credentials.  Checking out the /.git/ - Not found error ``` Cannot GET /.git/ ``` From here, I was not really sure about what to do. It's obvious that the challenge is related to **git** as challenge name indicates. I have no proper idea and was not able to remember that source code can even be retrived without directory listing enabled. Then my friend [**@koimet**](https://twitter.com/k0imet_), who was well aware about this, used the tool from **internetwache** called [**GitTools**](https://github.com/internetwache/GitTools) to dump the source code of the website (easy-peasy). He used the following command: ``` ./gitdumper.sh http://cgau.sdc.tf/.git/ ./<folder-name> ``` Once he got the source, searching for important stuff revealed **users.db** sqilte file with emails and password hashes Quickly, reading the data using sqlite - ``` sqlite> .tables users sqlite> SELECT * FROM users; 1|aaron@cgau.sdc.tf|e04efcfda166ec49ba7af5092877030e 2|chris@cgau.sdc.tf|c7c8abd4980ff956910cc9665f74f661 3|yash@cgau.sdc.tf|b4bf4e746ab3f2a77173d75dd18e591d 4|rj@cgau.sdc.tf|5a321155e7afbf0cfacf1b9d22742889 5|shawn@cgau.sdc.tf|a8252b3bbf4f3ed81dbcdcca78c6eb35 sqlite> ``` Cracking the first hash using [hashes.com](https://hashes.com), we get the password which is `weakpassword` Cool. Now back to login page with the email and the password!  Yay! We got the flag! <br> ## Flag > sdctf{1298754_Y0U_G07_g00D!} <br> ## Takeaways * Check if the website has version control repos in the production * Dig into every part of the source code to exploit more! <br> <br> Happy Hacking! <br> <br> > Special thanks to my friend [@koimet](https://twitter.com/k0imet_) for being a big part of this challenge. > Feel free to provide feedback. > [Twitter](https://twitter.com/z0k_r) > [Discord](httpps://discord.com/users/539772083878494219)