Hello. I’m Rahmos. Here is my Git Happens — TryHackMe — Writeup. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -T4 -p- -v <ip>
Well there is only a webserver at port 80 opened. So let’s access the website.
It’s a login page. Now check the page source (Ctrl+ U)
Here’s a const variable, maybe it’s a script? Just leave it there for now. Let’s scan for hidden dirs using gobuster:
gobuster dir -u <ip>:80 -w /path-to-wordlist
A hidden folder called ./git/HEAD is present, so access it.
***From now, you can use gitdumper from GitTools: https://github.com/internetwache/GitTools to download the leaked git repo. But if you want to understand what HEAD, master,.. is, continue reading:
It’s the HEAD for git. What is HEAD for git?
Let’s read content of this HEAD:
So, now you know the reference to the current branch, which is master branch. Which means, you can get the source code from this master branch! Let’s download the master file from browser:
The “master” file will point you to the corresponding object hash that stores the directory tree of the commit. You can use git-dumper to dump that leaked git repo: https://github.com/internetwache/GitTools
First, make a empty folder:
Next, use git-dumper shell to dump the git repo to that empty folder:
./gitdumper.sh http://<target-ip>/.git/ empty
Now cd to that “empty” folder:
The “.git” folder will contain your download from gitdumper
Now cd .git and git log -p to see all commit history. Scroll down until you see something interesting:
Now get the password. It’s your flag!