Author: Yadhu Krishna
Analysis
Upon opening the challenge, we are greeted with a login page and the credentials are not given. However, the given hint leads us to .git directory at http://HOST:PORT/.git/.
Exploiting
Now we have a fully accessible .git directory. The exposed directory can be recursively cloned using
This command clones all the files in the .git directory to local computer. This cloned directory is a valid git directory and contains all the information about commits, history, remote repository address, etc.
Upon checking the status of the repository using git status command, we find that index.php has been deleted. The deleted index.php file can be restored with git restore command.
We can now find the username from index.php, however, the password appears to be hashed.
Upon checking the commit history with git log command, we find there are 3 commits.
We see that there is a commit with ID 8c722b69146bcdca516488e17a76447e44132c7a that mentions about a security issue that was fixed.
We can revert back to the first commit using git checkout 6e672df7e870349b61df637122b0871816d612f2 command. (Note that the ID given is that of the first commit.)
Now let us check the source code of index.php. This gives us the username and password of the application.
Upon logging in with these credentials, we get the flag.