Bandit LV28-30: finally a familiar exploration: git
#git #gitlog #gittag #gitshow #repo #ssh
Bandit 28: Reverting to an older Git Commit
We have a cloned repo that contains the file README.md. Inside it says:
- username: bandit29
- password: xxxxxxxx
Clearly the password has been removed in our current version of the repo. The stated purpose of .git is version control so it reasons to can easily check if previous .git commits exist by viewing git log:
`commit edd935d60906b33f0619605abd1689808ccdd5ee
Author: Morla Porla morla@overthewire.org
Date: Thu May 7 20:14:49 2020 +0200
fix info leak
commit c086d11a00c0648d095d04c089786efef5e01264
Author: Morla Porla morla@overthewire.org
Date: Thu May 7 20:14:49 2020 +0200
add missing data
commit de2ebe2d5fd1598cd547f4d56247e053be3fdc38
Author: Ben Dover noone@overthewire.org
Date: Thu May 7 20:14:49 2020 +0200
initial commit of README.md`
So I decided to try to reverse back to initial commit using git reset --hard HEAD~1
Received the result: HEAD is now at c086d11 add missing data
Checked my README.md file and viola! Ze password iz mine!!
Bandit 29
Same as previous bandit. We are given a repo and inside the README.md are the following credentials:
- username: bandit30
- password:
I started poking around the .git and directory and found this in ORIG_HEAD that looks interesting:
208f463b5b3992906eabf23c562eda3277fea912
Since it like a git commit hash, I tried reverting to it, found nothing. Then I noticed that the packed-refs file also contained some git commit hashes:
# pack-refs with: peeled fully-peeled
bc833286fca18a3948aec989f7025e23ffc16c07 refs/remotes/origin/dev
208f463b5b3992906eabf23c562eda3277fea912 refs/remotes/origin/master
786d5bea2bd2dcbed2c8896a310c3c5306bc713c refs/remotes/origin/sploits-dev
Another way I could have accessed this info would be using the
git show-ref command to check for all git references in local repo.
I then reset git to the /origin/dev' and checked theREADME` and yes! Password found!
git reset --hard bc833286fca18a3948aec989f7025e23ffc16c07
HEAD is now at bc83328 add data needed for development
Bandit LV30: Searching an “empty” repo for clues
Similar to the last two levels, we are given a repo only this time, it's EMPTY save for a the READMD.md that just has this hilarious message: just an epmty file... muahaha < MIS-SPELLED AND ALL! I laughed.
Then I tried the usual suspects:
git log gives us just the initial commit of README.md — not helpful:
`commit 3aefa229469b7ba1cc08203e5d8fa299354c496b
Author: Ben Dover noone@overthewire.org
Date: Thu May 7 20:14:54 2020 +0200
initial commit of README.md`
I tried git show which describes the HEAD commit by default:
`commit 3aefa229469b7ba1cc08203e5d8fa299354c496b
Author: Ben Dover noone@overthewire.org
Date: Thu May 7 20:14:54 2020 +0200
initial commit of README.md
diff —git a/README.md b/README.md
new file mode 100644
index 0000000..029ba42
—– /dev/null
+++ b/README.md
@@ -0,0 +1 @@`
This does look like there was a new README.md file created, the useless one. Not sure how helpful this is?
Decided to poke around the repo references again: less ./.git/packed-refs
# pack-refs with: peeled fully-peeled
3aefa229469b7ba1cc08203e5d8fa299354c496b refs/remotes/origin/master
f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea refs/tags/secret
This secret tag is interesting. Git tags are a reference point to a specific moment in git history and store data about that point. This can be accessed with the command syntax: git show <tag>
So I tried git show f17132340e8ee6c159e0a4a6bc6f80e1da3b1aea
And the password onwards appeared!