Git Happens — TryHackMe — Writeup

Hello. I’m Rahmos. Here is my Git Happens — TryHackMe — Writeup. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- -v <ip>


Well there is only a webserver at port 80 opened. So let’s access the website.


It’s a login page. Now check the page source (Ctrl+ U)

page source

Here’s a const variable, maybe it’s a script? Just leave it there for now. Let’s scan for hidden dirs using gobuster:

gobuster dir -u <ip>:80 -w /path-to-wordlist


A hidden folder called ./git/HEAD is present, so access it.

***From now, you can use gitdumper from GitTools: to download the leaked git repo. But if you want to understand what HEAD, master,.. is, continue reading:


It’s the HEAD for git. What is HEAD for git?

What is HEAD?

Let’s read content of this HEAD:


So, now you know the reference to the current branch, which is master branch. Which means, you can get the source code from this master branch! Let’s download the master file from browser:


The “master” file will point you to the corresponding object hash that stores the directory tree of the commit. You can use git-dumper to dump that leaked git repo:

First, make a empty folder:

mkdir empty

Next, use git-dumper shell to dump the git repo to that empty folder:

./ http://<target-ip>/.git/ empty

Now cd to that “empty” folder:

The “.git” folder will contain your download from gitdumper

Now cd .git and git log -p to see all commit history. Scroll down until you see something interesting:

commit history

Now get the password. It’s your flag!