26 feb 2020

From partial .git reading to source code disclosure

Hi everyone!

This last weekend pry0cc, founder of 0x00sec, posted the first challenge of their bi-monthly CTF exercises. The purpose of this is to make very short, 10-30 minute exercises designed to teach you new techniques. Quite cool, isn't it? :P

The first challenge was about a website where you are supposed to log in and get the flag, the description of the challenge says that there are multiple ways to achieve our goal. I will describe in this post how I achieved it and how dangerous could a .git folder be. So let's start!
Login box
I started by looking into the source code of the website, looking for any comments or paths in the website that gives me any clue where to go:

Source code of main page

EASY! Let's grab .git directory! I thought :(

Forbidden /.git

Not that easy, of course, but always keep thinking out of the box. Directory listing is forbidden in the server, what about knowing the path to the file? Let's check some like:

We can read files! Cool, lets take some juicy files with the content we already know, like:
  • /.git/logs/refs/heads/master
  • /.git/index

We can check that there was just one commit in the master branch. If we try to parse correctly the index git file, we could get the SHA1 hash of the git object related to that commit.

Let's dive a bit in how git stores its objects and how can we use it if we find a website with a .git folder exposed. To illustrate that, I will show you how an /.git/objects folder is structured when you are adding files by git add command:

Example of /.git/objects
There are a new file and a directory in objects directory. This is because files, directory structures and commits are stored in objects directory. Index file, has also changed, we can start digging too much into how git works, but it will get a bit out of scope. If you want to know more about how git works, I recommend you to read the documentation ;)

Following with the challenge, if we parse the index file with for example the known tool called: gin, we will get the contents of it easily:

Content of index file
If you have done your homework correctly, you could check that this SHA1 hash is divided into two parts in the previous example of /.git/objects, using the first two characters as a folder and the rest of the hash as the file. So, we need to the get the object and decompress it to see the content :)

Once I got the file I used Python3 and zlib library to decompress it, as it seems to be a tiny file, I just printed it in the Python console:

Content of index.php
As this is the first challenge, I supposed that the hash is stored in some of the online databases, I also noticed that the flag is printed by xor_this function, but I was a bit lazy and went by the dictionary path :P

admin:l33tsupah4x0r credentials

I hope this will help you in the future when you come accross a .git folder exposed, if you liked this post don't forget to share it ;)

No hay comentarios:

Publicar un comentario