c0c0n XI DomeCTF Writeup — Brazil — Team RedX!!

Sreehari Haridas
Oct 8, 2018 · 2 min read

Challenge — Brazil:

Image for post
Image for post

Initial Recon

https://crm.domectf.in

Basic Nmap scan showed only SSH, HTTP and HTTPS were open

Image for post
Image for post

HTTPS returned a login page for a CRM panel, Wappalyzer returned backend is D3 and Nginx was running as a webserver

Image for post
Image for post

Directory brute forcing

Running a Directory brute forcing software such as Dirb or Dirsearch returned a .git directory

Image for post
Image for post

Developers tend to forget to remove these directories which can contain sensitive information like git repository links and commit histories

Dumping data from .git repository

Using a script called git dumper can be used to dump the data from .git

./gitdumper.sh https://crm.domectf.in/.git/ dumped

Image for post
Image for post

which extracts the data after the dump we can use git commit log to view the commit history but in this case the organizers messed up with the HEAD which corrupts the git repo so the git command is no longer in use.

There is another tool called git extractor that extracts and recreates files from the commit history.

./extractor.sh dumped/ extracted/

Image for post
Image for post

So as we can see there is a file flag.txt got extracted from the commit history.

Image for post
Image for post

Voila we got the flag!!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store