Git to the core
![](https://i0.wp.com/sukhmeet.com/wp-content/uploads/2023/10/image-16-edited.png?resize=1154%2C650&ssl=1)
In this level we have a link to a GitLab repository, which is not accessible.
![](https://i0.wp.com/sukhmeet.com/wp-content/uploads/2023/10/image-18-edited.png?resize=367%2C183&ssl=1)
And embedded secret gist with so many forks (why so many forks?)
Turns out you can clone a gist and it has branches.
One of the branches of this commit has a link to a .git
path with directory listing enabled.
http://51.15.92.102/.git/
![](https://i0.wp.com/sukhmeet.com/wp-content/uploads/2023/10/image-19.png?resize=722%2C420&ssl=1)
Details on Yash’s CTF writeup.
But that’s not how got the path to .git directory. Being a curious person I first tried all the known links and IPs hosted in this CTF. One being on Level 6 – Do Not Serve (No I didn’t solve the levels in an order, not guilty). Copied IP I got from level 6 and checked open ports. Port 8080 is open but doesn’t have a .git directory. Port 80 is open but is password protected.
Viewing level’s page source reveals there is some obfuscated javascript code. I just copied it and ran in the developer console. It hanged my browser window.
Now you know why I am paranoid about executing unknown javascript code.
So I deobfustacted the javascript code and found an interesting base64 encoded string.
console.table("YWRtaW46QCMhbno0SiNtUiY0Y2g=");
Decoded it and it looks like a username:passwordadmin:@#!nz4J#mR&4ch
Used this username and password and I got the access to http://51.15.92.102/.git/
![](https://i0.wp.com/sukhmeet.com/wp-content/uploads/2023/10/image-20.png?resize=546%2C381&ssl=1)
Downloaded this repository using git-dumper and checked the commits and got the code.
![](https://i0.wp.com/sukhmeet.com/wp-content/uploads/2023/10/image-21.png?resize=604%2C364&ssl=1)
Entered the code in challenge page and got the flag.
Leave a Reply