c0c0n XI DomeCTF Writeup — Brazil — Team RedX!!

Challenge — Brazil:

Initial Recon

https://crm.domectf.in

Basic Nmap scan showed only SSH, HTTP and HTTPS were open

HTTPS returned a login page for a CRM panel, Wappalyzer returned backend is D3 and Nginx was running as a webserver

Directory brute forcing

Running a Directory brute forcing software such as Dirb or Dirsearch returned a .git directory

Developers tend to forget to remove these directories which can contain sensitive information like git repository links and commit histories

Dumping data from .git repository

Using a script called git dumper can be used to dump the data from .git

./gitdumper.sh https://crm.domectf.in/.git/ dumped

which extracts the data after the dump we can use git commit log to view the commit history but in this case the organizers messed up with the HEAD which corrupts the git repo so the git command is no longer in use.

There is another tool called git extractor that extracts and recreates files from the commit history.

./extractor.sh dumped/ extracted/

So as we can see there is a file flag.txt got extracted from the commit history.

Voila we got the flag!!