Write-up for the git Happens room in TryHackMe

Description

Boss wanted me to create a prototype, so here it is! We even used something called “version control” that made deploying this really easy!

Attack Chain :tldr

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

export ip=<ip>
firefox http://$ip

# git dumper
git-dumper http://$ip/.git .

# look at different commits
git log
git show <commit_sha>
# searching for password trick
git log -S "password" -p

git show 395e087334d613d5e423cdf8f7be27196a360459

Solution

From the room title,it hints that it is about git. A challenge of checking git commits and finding the flag

Initial Git Logs review

First, download the git exposed using commands like git dumper git-dumper http://$ip/.git . or wget wget http://$ip/.git.

Git logs are basically the changes made in code we can access it using the command git log

To show specific commits (changes) we can use git show <commit>

git show e56eaa8e29b589976f33d76bc58a0c4dfb9315b1

git show d954a99b96ff11c37a558a5d93ce52d0f3702a7d

Juicy information:

• login=1
• /dashboard.html
• passwordHash

Changing Cookies

changing cookies to login=1 and accessing the dashboard shows that the password is the flag

Finding the Password

Trying to Crack the Password

PasswordHash = 4004c23a71fd6ba9b03ec9cb7eed08471197d84319a865c5442a9d6a7c7cbea070f3cb6aa5106ef80f679a88dbbaf89ff64cb351a151a5f29819a3c094ecebbb)

Tried Sha512 bruteforcing with john (no results)

1
2

# 4004c23a71fd6ba9b03ec9cb7eed08471197d84319a865c5442a9d6a7c7cbea070f3cb6aa5106ef80f679a88dbbaf89ff64cb351a151a5f29819a3c094ecebbb$SaltyBob
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format='dynamic=sha512($p.$s)' --fork=4

Checking other commits

Rechecking other commits shows the raw password. Also, I learned that search can be helpful, for example git log -S "password" -p

1

git show 395e087334d613d5e423cdf8f7be27196a360459

We found the flag!