Git Good: A Web CTF dealing with broken git commits.

Me and my friends decided to play the SDCTF 2021. In the CTF we came across a challenge called Git Good. Here was the background we were given:

Challenge description on their server

Honestly, I didn’t even read it. Git good already had my ears up because I was sure that it would be a challenge dealing with broken git commits. Don’t worry I will thoroughly go over what a broken git commit is. First let me show you the website.

Pretty sweet looking frontend.

What is a broken git commit?

To understand what a broken git commit is, you must know what git is. I am talking about git itself, not github. They are different. Git is what professional developers use to manage their projects. You don’t need to have a github to use Git for a server. You might want to read up on that before proceeding.

When you commit a git, it always has a .git directory in the project. That .git directory has files that helps git work as it has to. the “.” in front of git makes it a hidden file.

Even when you clone a github project and do “ls -la” on your linux terminal, you will notice a .git folder always sitting there. That .git folder has all your commit history and thus can be used to reconstruct the commit.

Screenshot just for explanation.
How a git directory looks like

A broken git commit is just that. A visible .git folder on a website. How did i verify that the website had a leaking .git folder? Easy. Just try .git/HEAD. There always is a HEAD file in the .git folder.

As you can see, it automatically started downloading the returned file. Great let’s get cracking then.

Extraction of source code:

I will use GitTools dumper to dump all the files we can. What that means is bruteforcing the .git directory to extract enough files from the broken git commit that we can nicely extract the code from the previous commits using a wordlist (that git dumper uses by default.)

Usage

Great. Now just do ls -la again and you will see a new .git folder appear. That’s nothing but the .git folder we dumped using gitdumper.

Great now let’s extract the source code from commit history using a tool called Extractor from GitTools. Also if you want to fall into a rabbit hole of how exactly Extractor does it, Maybe after the article start from here.

Don’t forget on checking the instructions from their repository!

Let’s now inspect the files further.

Great, two new weird looking files. By the way the “0-” and “1-” prefixes are just the index of the commits.

Congratulations we dumped the content. The first thing that grabs my attention here is users.db.

Great, It’s an SQLITE3 file. Let’s inspect it.

lmao ignore me misspelling tables

Okay great. This looks like a bcrypt password hash. I know that from experience and also the fact that it uses bcrypt library in app.js in the same commit:

Weird though. It also tried to import md5 hashing library. md5 is a way weaker hashing algorithm than bcrypt. Let’s check the other commit we had. Maybe we find something different there.

Same stuff from the surface. Let’s check app.js.

Okay..so they aren’t importing the bcrypt library in this commit. Can it mean that the database here also might have md5 hashes passwords?

How can you misspell tables twice?

Bingo! md5 hashed passwords. md5 hashed passwords have “reversers” online. What that means is that people from the community have created a database of which hash corresponds to which word using a wordlist. See you can’t reverse hashes technically. That’s the point. But the md5 hash of elliot will remain whatever it is. Using this very fundamental logic these “reversers” and rainbow tables work.

Heck, Even just googling one of these hashes might just help you out.

Great seems like the first hashed password from the database of the email “aaron@cgau.sdc.tf” is the md5 hash of “weekpassword”. If this method didn’t make sense to you, screw my method and google “md5 reverser online”, paste in the md5 hash and you should be good.

If you look through the directory, you will find what the login link should be that they “hid”.

There is an admin.html

Great. Let’s go to admin.html and login.

Boom

Fun story, originally I dumped and extracted all the files, I didn’t notice that the other commit had anything different. So I wasted my time asking people I knew were into crypto how can we crack the bcrypt hashed passwords only for it to turn out that someone from my team had already solved the challenge hours prior.

The person submitting the flag hours prior.
I am dumb. I know.

Edit: Someone had a way smaller solve ahahhaha. I love it.

Post CTF conversation
lmao

Edit finish.

If you think that this write up helped you, Feel free to follow me on my twitter. I also am actively looking for a freelance job in cybersecurity/development. Preferably tech writing. Cheers!

People simp for girls, I simp for information. Switzerland ❤