Challenge — Brazil:
Basic Nmap scan showed only SSH, HTTP and HTTPS were open
HTTPS returned a login page for a CRM panel, Wappalyzer returned backend is D3 and Nginx was running as a webserver
Directory brute forcing
Running a Directory brute forcing software such as Dirb or Dirsearch returned a .git directory
Developers tend to forget to remove these directories which can contain sensitive information like git repository links and commit histories
Dumping data from .git repository
Using a script called git dumper can be used to dump the data from .git
./gitdumper.sh https://crm.domectf.in/.git/ dumped
which extracts the data after the dump we can use git commit log to view the commit history but in this case the organizers messed up with the HEAD which corrupts the git repo so the git command is no longer in use.
There is another tool called git extractor that extracts and recreates files from the commit history.
./extractor.sh dumped/ extracted/
So as we can see there is a file flag.txt got extracted from the commit history.
Voila we got the flag!!