TRYHACKME’S GITHAPPENS STEP WISE WRITEUP FOR TOTAL BEINNERS
Hello hackers! Today we are going to complete tyhackme’s ctf githappens. So, let’s start with our nmap scan.
let’s check our http. Here we see a login page nothing more on the source code and i thought about bruteforcing credentials but it isn’t sending any POST data so, no bruteforcing sad. Now we have only one option left and that is web directory fuzzing i use gobuster. You can git clone it using given github link and if you are using kali linux you can download it using following commands:
sudo apt update
sudo apt install gobuster
now we can run the tool from command line using following command:
gobuster dir -u <target_ip> -w /usr/share/wordlists/dirb/common.txt
we see a github repo and to dump that repo we need a tool GitTools. Clone that tool goto GitTools/Duumper/.
run that gitdumper.sh and it will show you how to use it:
Now goto that files folder and use git log command it will show you following log output.
We have alot of commits, commits are latest changes of the source code to the github repositories. So, in simpler words we have all the source code that webpage have. let’s see what changes they made and to do that we will use git show command with the commit number from above.
i checked last commit nothing interesting found but when i checked second last commit i found the source code for the login page. And in that page i found username and password.
Keep scrolling down at last you will see javascript code there is a condition if username= and password =. There we have our username and password.
Now, let’s try logging in with that credentials. we logged in but there isn’t anything so i guess that password is our flag. And it is indeed our flag.
password: Th1s_1s_4_L0ng_4nd_S3cur3_P4ssw0rd!
Congratulations! we have completed our ctf. Thank you tryhackme for this amazing ctf and also thanks for the creator of this ctf hydrayrum. Go check out his other rooms. Till then good bye and keep hacking.
