0x00SEC CTF - Exercise #1

This weekend I took a dive into 0x00Sec's new bi-monthly CTF.

• CTF Name: Exercise #1
• Resource: 0x00SEC
• Difficulty: Easy... ish
• Number of Flags: 1

Note::: NO, I wont be posting the found flag{}, but I will be posting the methods I used.

---

Flag0

• Hint: None originally. Received "git" and "enumerate HTTP" from their twitter after reaching out.

• Acquired By:

  • First thing to do is to just try some inputs into the application its self and see what the network was doing. This shows that the payload is being URL Encoded and I am going to need to find another path in. (I did test multiple inputs to see if any characters would be accepted but none were)
  • Second thing I looked at was the URL and if there was any others that I could get access to. Nothing came up that I tried. Everything said "Not Found."
  • Third thing I did was to look at the code itself. The hint about the "git directory" wasn't obvious to me at first and after talking with my bf I went down the path of looking at the Bootstrap files and template to see if there was something there... there wasn't.
  • Forth is to look at the error pages. They says things like "Apache/2.4.38 (Debian) Server at exercise-1.0x00sec.dev Port 80" and this made me wonder if there was an Apache issue. There apparently is with this version but I was not able to get it to work. =(
  • I again needed to talk with bf and after telling him about the "git" hint that I received, he recommend looking at the git directory. What is a git directory? First, within the URL if you try different paths you can see that some say "Not Found" and some, like /.git say "Forbidden". Now it's time to look into a .git directory because it is there BUT I don't have access to it. There is a lot of information that .git directory can contain As you can see it is a directory for git information. I take my time researching the directory and trying different paths.
  • Once I see there are paths of the git directory that are accessible I start enumerating them to see what's inside. This process would be easier with a script or tool but I did it allllllll by hand. Why? Because I am most comfortable doing things by hand still. So, first one I hit is the logs/HEAD This information tells me the main user "pry" and some commit information. (An important thing to note is the numbers and how they repeat with in the commits.)
  • After trying other paths there is also a config file with no useful information, logs/refs/heads/master that had the same information as the lots head, the index file that can be downloaded, and the objects path is there but I need to figure out its pattern to access parts of it.
  • To get the objects file to give some information my bf helped me build a script to try every 2 letter/number combination. We were able to get 4 paths but not the next file that each object holds. I noticed that the first object, /objects/05, that we found was the beginning of one of the hashes from the logs/HEAD page, 05480569507a37df7731115a5888f91b145c189d.
  • Once we tried adding a / to the hash we were able to download a compressed binary file. This told us that we needed more information so we went through all the paths we found and downloaded each file.
  • Now that we have all the files we needed to decompress them. When looking up information on the git directory I found a bit of information about them being compressed using a sha1 has so we were decompressed them and got some interesting information out. This lead us to trying to read the hex, or so we thought. This was a rabbit hole with no useful information.
  • Now bf pulled up and app and tried to reconstruct the git directory locally with the information that we had. Once this was done he saw the pattern that the logs/head file was showing with the commit hashes, and oops we missed one or two so we ran the script again to try them all and found some more.
  • Once we got all the objects and their information this lead to the last file that was compressed and contained the commit for the index.php file. This file contained the script for the index.php page with the admin's username and password hard coded into it.
  • Now that we have the index.php file and we can see the part where the password is we need to decrypt it so use. This was super easy as we were able to simply put it into a website and get its output.
  • Now that the password for the admin is available you can log into the admin account and the flag pops up.

• Thoughts:
  This was hard. Without my bf I would not have understood the hint or even how to approach this. It was labeled as a beginner-expert level exercise, but I feel like it should not have been the first one. If I had never done a CTF before I would be so discouraged.
  That being said.... I did learn a lot about looking at the files and its structure and paying attention to the details. I will need to get better at enumerating a site to solve things quicker. This took me 3 hours... =/

Learned

This CTF taught me about .git directory and information disclosure issues. I am curious to see why the git directory was exposed like this and how to prevent it but that will be for another blog.

---

Happy Hacking

Resources

1. https://codemirror.net/.git/logs/refs/
2. https://md5decrypt.net/en/Sha256
3. https://ctf.0x00sec.org/

Please Note that I am still learning. If something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Comments

[Sujay Kundu]

That's really cool ! I never thought of the way you looked at the .git directory before 👌💯

[DaNeil C]

Right?! I've found that it's not usually accessible like this if it's not even there, BUT if it is just forbidden or hidden this has worked.