This is a challenge from the UTS Cyber Security Society (CSEC) Semester-long CTF for 2020 Autumn session.
So the description gave us a URL (http://188.8.131.52:8007). No reason not to start here, right? And we got:
Hmmm… Seems a newly set up Apache server, running a Ubuntu machine, without even serving a proper page. Not quite informative. Nothing in the page source, either :(
Next thing came up to me was scanning the port:
nmap -sC -sV -p8007 184.108.40.206
Here! We found something interesting: a git repository! Let’s try pull this repository down.
.git/ directory down
git clone this repository:
Uh oh. Seems it doesn’t work the normal way. But it should do no harm if we check the URL with our browser.
Looking good. The directory is served in its raw structure. This means we can spider everything down in the worst case. So why not make a spider now ;)
Here it goes:
import requests from bs4 import BeautifulSoup import os baseurl = "http://220.127.116.11:8007/.git" def scan(rel): print("scanning " + rel) if rel.startswith('/'): directory = '.' + rel if not os.path.exists(directory): print(directory + " does not exist, creating") os.mkdir(directory) url = baseurl + rel print("sending get request: " + url) soup = BeautifulSoup(requests.get(url).text) for td in soup.find_all('td'): for a in td.find_all('a'): href = a.get('href') print("href: " + href) if href.endswith('/'): if a.contents != 'Parent Directory': scan(rel + href) else: open(directory + href, 'wb').write(requests.get(baseurl + rel + href).content) scan('/')
Let’s save it as
spider.py in a appropriate (empty) directory, because it downloads everything to the $PWD, which may create a mess. Now let’s run this code!
$ ls spider.py $ python3 spider.py scanning / sending get request: http://18.104.22.168:8007/.git/ href: / href: COMMIT_EDITMSG href: HEAD href: Icon href: ORIG_HEAD href: config href: description (.....) (script logs blah blah) (.....) $ ls COMMIT_EDITMSG description hooks index logs ORIG_HEAD spider.py config HEAD Icon info objects refs
Hooray! Now we got the repository. My zsh even told me we are on
First of all, let’s see the commit history of course.
The third commit says ‘hide flag’. If it is THE FLAG we are looking for (apprently), then we should check what it has hidden. Let’s go checkout the Initial Commit.
Hmmm… Didn’t go well. But what does this error message mean?
Luckily, Google has always been my friend, and I found this question, and the comments on the answer proved very helpful.
Turns out the
.git/ directory is a hidden directory which
git creates when you initialize your repository, and where all the commit snapshots are saved. That is, you can restore any file of any version with this directory. But the files you normally work with should be the parent directory of
Then this would be easy. Let what belongs to
.git/ go to
.git/, and make our ‘missing’ directory its parent.
Now everything is normal and familiar again. Let’s finish what was to be done.