TryHackMe — Source Code Security — Writeup

Key points: Git, GitLab, Secret Management.
Source Code Security by awesome TryHackMe! 🎉

Hi All.
First, quick introduction. Mentioned Room is Premium type.
It’s worth considering being a premium user, more info here: https://tryhackme.com/why-subscribe

It would be great for you to be more familiar with these topics, so please visit Room https://tryhackme.com/room/sourcecodesecurity to get more details. ✨ I encourage you to do the tasks on your own.

These tasks are well-prepared, so I will try to not repeat the content. You have there what you need, but I want to share some additional helpful and useful resources.

Task 1 — Introduction
Get ready! 🚀

Task 2 — Git and Linus
Q: When was Git released?
A: 2005
Q: What did Linux Kernel use for a DVCS previous to git?
A: BitKeeper

Additional sources:
What is Git? — https://www.atlassian.com/git/tutorials/what-is-git
Git (Website) — https://git-scm.com/
Git (Wikipedia) — https://en.wikipedia.org/wiki/Git
Linus Torvalds (Wikipedia) — https://en.wikipedia.org/wiki/Linus_Torvalds
BitKeeper (Website) — https://www.bitkeeper.org/

Task 3 — Version Control Concepts
Q: What type of version control is Git?
A: Distributed

Additional sources:
Mercurial SCM (Website) — https://www.mercurial-scm.org/
Apache Subversion SVN (Website) — https://subversion.apache.org/

Task 4 — Cloud Based Version Control

Q: When was Github founded?
A: 2007
Q: Where do Cloud-Based VCS store code?
A: repositories

Additional sources:
GitHub — https://github.com/
GitLab — https://about.gitlab.com/
Bitbucket — https://bitbucket.org/

Task 5 — Insufficient Credential Hygiene
Q: What is a solution to store secrets securely without revealing them?
A: environment variables
Q: Does using environment variables mean you are free from secrets being compromised (Yes or No)?
A: No

Additional sources:
What is CI/CD? — https://www.redhat.com/en/topics/devops/what-is-ci-cd
What is CI/CD? — https://about.gitlab.com/topics/ci-cd/

Task 6 — The Git, The Branch and The Ugly

Q: How does Git refer to isolated lines of development?
A: branches
Q: What term does Git use to refer to the original repository you cloned from?
A: origin
Q: What command can you use to “copy” the contents in a remote repository?
A: git clone

Additional sources:
Git cheat sheet: https://education.github.com/git-cheat-sheet-education.pdf

Task 7 — USCSS Nostromo
Q: What is the name of the package that you need to import to make use of os.getenv?
A: os
Q: What is the hidden flag?
A: THM-3LL3N-RIPL3Y

Hint: Check commits. 🚩

Task 8 — Secret Management

Q: What is the hidden flag?
A: THM_S3CUr3_4L13NS
Q: What do you need to keep source code secure besides environment variables?
A: secret management
Q: Which file handles the configuration to run CI/CD jobs?
A: .gitlab-ci.yml

Hint: Check Settings -> CI/CD -> Variables. 🚩

Additional sources:
YAML (Website) — https://yaml.org
What is YAML? The YML File Format — https://www.freecodecamp.org/news/what-is-yaml-the-yml-file-format/
What is YAML? — https://www.redhat.com/en/topics/automation/what-is-yaml
YAML (Wikipedia) — https://en.wikipedia.org/wiki/YAML
What is YAML? A beginner’s guide — https://circleci.com/blog/what-is-yaml-a-beginner-s-guide/

✨ Bonus — additional informations:
OWASP — Secrets Management Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
What is secrets management?: https://www.redhat.com/en/topics/devops/what-is-secrets-management
What is secrets management?: https://www.cloudflare.com/learning/security/glossary/secrets-management/

I hope you enjoy! 🍀

Use of hard-coded password: https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password
CWE-259: Use of Hard-coded Password: https://cwe.mitre.org/data/definitions/259.html
CWE-798: Use of Hard-coded Credentials: https://cwe.mitre.org/data/definitions/798.html

If you enjoyed reading the article, you can take a look at “CTF Writeup — Fetch the Flag CTF 2023 — Unhackable Andy”.

#Git #GitLab #SecretManagement #Secret-Management #writeup #hacking #ITsecurity #THM #TryHackMe

Best wishes,