— Tryhackme — 1 min read
Git Happens in an easy category room developed by hydragyrum. This is a simple room exploiting a silly mistake of making the git directory publicly accessible . Check out the room here.
Let's start with the nmap.
nmap -sC -sV -v -oA nmap/initial IP
1PORT STATE SERVICE VERSION280/tcp open http nginx 1.14.0 (Ubuntu)3| http-git:4| 10.10.47.160:80/.git/5| Git repository found!6|_ Repository description: Unnamed repository; edit this file 'description' to name the...7|_http-server-header: nginx/1.14.0 (Ubuntu)8|_http-title: Super Awesome Site!9Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have a web server . The default nmap scripts also found a git directory publicy available to us on web server at /.git. Let's confirm this by visiting in browser and indeed we have a lot of stuff here . Now , you can manually download all the files via wget or curl , but that would be tedious. So, I used this Git-Dumper from Github which is a python script that can dump an entire git repo from web easily .
Now , to scan through the downloaded git directory , we can use the cool git commands.Normally , in the initial stages of the development of a website , the developers usually leave stuff like credentials , API keys, sensitive comments for convenience in development. As the project grows ,we move to more secure coding practices (hopefully!) and get rid of that sensitive stuff. So , let's see what this website looks like in its early days .
git log
This command shows all the commits ever made during the life of this website . Let's see the early commits.
To see what changes each individual commit does , we can use the command
git show commit_hash
The initial commit was not interesting , so moving on to second one . The commit message says Made the Login Page , maybe it has something juicy.
And we have the creds for the login page. We are done for this room . No seriously , this is it. Duhh!
Hope you learned something new and thanks for reading .
CHAO !