Welcome back everyone.

As promised earlier in the previous post, I will go over some of the technicals. I wanted to use a more practical scenario, so this CTF by my favorite security community just came handy.

So quickly let's get into solving this CTF.

Here is a post by @pry0cc that suggest monthly CTFs within the forum.

I quickly registered and got pwning.

At this point there was only one challenge.

Opening the link, I find a very simple login page, I checked the normal stuff, cookies, tested fro simple SQLi, but there was nothing much.

As usual I always hunt for the lowest fruit first, it always kinda leads you to owning the whole tree, so on viewing the page source we find an interesting HTML comment.

GIT directory!?!!

We can quickly confirm that by browsing to the .git/HEAD.

git directory available

Git Harvesting

From the previous post, I promised to demonstrate how to harvest exposed git directories, so let's get kicking.

We have a number of tools online, I have personally used quite a number before, but the most reliable one that I've found is: https://github.com/internetwache/GitTools. As we have other types of Content Version Systems i.e. svn, the other tools that supports them include https://github.com/kost/dvcs-ripper.

Now that we are on the know of the toolkit, let's quickly clone the GitTools repo.

As you can see we have three set of tools:-

  1. Finder - For finding exposed git directories in a website
  2. Dumper - For downloading all the git objects and files
  3. Extractor - For extracting git objects into individual source code and code commits.

For this we will just need the Dumper and the Extractor.

It'll go ahead and download all the git files and objects, at this point you are not in a position to view any source codes, so let's go ahead and extract the source code from the dumped objects.

Source code extraction

Wonderful, we now have all the source code, let's got through the source and understand the logic of the application.

if (isset($_POST["username"]) && isset($_POST["password"])) {
 		if ($_POST["username"] == "admin" && hash('sha256', $_POST["password"]) == "e83176eaefcc1ae8c4a23dbc73ebcf122f26cfb9ba5c7cf4763e96c1c38a6c6c") {
 		  	echo '<h4> '.xor_this(base64_decode("Cl9SEwgSQRVFUA1dAl1dVFkaQF0CWAQUTQ=="), $_POST["password"]).' </h4>';
 		} else {
 			echo '<h4 class="error"> Incorrect Password :) </h4>';

No sql statements, so SQLi is lame. Here we got, the application hashes the submitted password using sha256 algo, then compares it to that hash, if they are equal, it performs an xor operation of the base64 encoded string with the cleartext valid password submitted.

Password Cracking

There are several ways to perform password cracking, the most common method is dictionary attack, or using online services like the crackstation.net.

When I was solving this CTF, I had not configured my OCL drivers for hashcat, so I decided to try out crackstation.net and viola.

cleartext password: l33tsupah4x0r

Now let's login in with the credentials admin:l33tsupah4x0r


And that's how I pwn the CTF.

You can also share your method for solving the CTF, and be sure to sign up for the exciting community at http://0x00sec.org and learn more.

Thank you, next post we will cover the redis pwn methodology as promised in the previous post, stay tuned.