Category | Difficulty | Solves | Author |
---|---|---|---|
forensics |
medium |
5 | sudoBash418 |
Description
We’ve received reports of a t3l0s git repository open to the internet, containing a secret key.
Unfortunately, it looks like we were too late - the secret key is nowhere to be found! Can you help us out?
Players are given a single file: git-repo.tar
There is also a single hint available:
git commit --amend && git push --force
is not always a silver bullet.
Analysis
The archive contains a bare git repo, which can be extracted to a new directory:
$ mkdir repo
$ tar xf git-repo.tar -C repo
$ cd repo
Based on the challenge description and hint, we can assume we should look for a “removed” commit.
Solution
We can list unreachable objects (including commits) using git fsck
:
$ git fsck --unreachable
Checking object directories: 100% (256/256), done.
Checking objects: 100% (13/13), done.
unreachable tree 43108c1907c8021913c952d24fb9c6b27455eebd
unreachable commit e4dd42d2292550453969f61dc188f73fdefe110c
unreachable blob 4dfc65d0f476d7f4d13885d879034f5889bb3e4b
Verifying commits in commit graph: 100% (3/3), done.
Then show the commit contents:
$ git show e4dd42d2292550453969f61dc188f73fdefe110c
commit e4dd42d2292550453969f61dc188f73fdefe110c
Author: webdev2103 <webdev2103@t3l0s.internal>
Date: Tue Mar 14 01:47:50 2023 -0600
Add session middleware for security
diff --git a/.env b/.env
new file mode 100644
index 0000000..4dfc65d
--- /dev/null
+++ b/.env
@@ -0,0 +1 @@
+SECRET_KEY=Y2x1YmVoezFnbjByNG5jM18xNV9ibDE1NV9jNWZlYzM0YX0K
...
And decode the base64-encoded key to get the flag:
$ echo Y2x1YmVoezFnbjByNG5jM18xNV9ibDE1NV9jNWZlYzM0YX0K | base64 -d
clubeh{1gn0r4nc3_15_bl155_c5fec34a}
Fully-automated Solve Script
|
|
Conclusion
This challenge is based on git
’s behavior surrounding “removed” commits.
Specifically, git
doesn’t necessarily delete a commit’s content when it becomes inaccessible (ex. after a git commit --amend
).
This behavior is complicated further when pushing to remote repositories, where local state often differs from the remote state.
In fact, the repository used in this challenge is a simulated “remote” repository.
GitBleed is a similar issue, albeit focused more on git clone --mirror
.