0xv1n
Posts Tags Categories About Me Tifa
0xv1n

Contents

TryHackMe: Committed (Finding Dangerous GIT Commits)

 included in pentesting
   896 words   5 minutes 

Challenge Premise

“Oh no, not again! One of our developers accidentally committed some sensitive code to our GitHub repository. Well, at least, that is what they told us… the problem is, we don’t remember what or where! Can you track down what we accidentally committed?”

Challenge Files

After logging into the VM, we can check to see what files are in the challenge folder. There is a single zip, so let’s extract it and examine the contents.

ubuntu@thm-comitted:~/commited$ pwd
/home/ubuntu/commited
ubuntu@thm-comitted:~/commited$ ls -al
total 44
drwxrwxr-x  2 ubuntu ubuntu  4096 Jul 14 22:19 .
drwxr-xr-x 17 ubuntu ubuntu  4096 Jul 14 22:00 ..
-rw-rw-r--  1 ubuntu ubuntu 34993 Mar 11 21:11 commited.zip
...
ubuntu@thm-comitted:~/commited/commited$ ls -al
total 20
drwxrwxr-x 3 ubuntu ubuntu 4096 Feb 13 08:50 .
drwxrwxr-x 3 ubuntu ubuntu 4096 Jul 14 22:23 ..
drwxrwxr-x 8 ubuntu ubuntu 4096 Feb 13 08:50 .git
-rw-rw-r-- 1 ubuntu ubuntu  393 Feb 13 08:50 Readme.md
-rw-rw-r-- 1 ubuntu ubuntu  982 Feb 13 08:50 main.py
ubuntu@thm-comitted:~/commited/commited$ git status
On branch master
nothing to commit, working tree clean

If we examine the python script, we can see that it contains credentials that were likely accidentally hardcoded at some point (we’ve all been there).

ubuntu@thm-comitted:~/commited/commited$ cat main.py 
import mysql.connector

def create_db():
    mydb = mysql.connector.connect(
    host="localhost",
    user="", # Username Goes Here
    password="" # Password Goes Here
    )

I’m interested in hunting this lead, so we will start by enumerating the commit history to see if there are any interesting commit messages.

Prior Commits

To view the commit history for this repo, we can simply run git log:

ubuntu@thm-comitted:~/commited/commited$ git log
commit 28c36211be8187d4be04530e340206b856198a84 (HEAD -> master)
Author: fumenoid <fumenoid@gmail.com>
Date:   Sun Feb 13 00:49:32 2022 -0800

    Finished

commit 9ecdc566de145f5c13da74673fa3432773692502
Author: fumenoid <fumenoid@gmail.com>
Date:   Sun Feb 13 00:40:19 2022 -0800

    Database management features added.

commit 26bcf1aa99094bf2fb4c9685b528a55838698fbe
Author: fumenoid <fumenoid@gmail.com>
Date:   Sun Feb 13 00:32:49 2022 -0800

    Create database logic added

commit b0eda7db60a1cb0aea86f053816a1bfb7e2d6c67
Author: fumenoid <fumenoid@gmail.com>
Date:   Sun Feb 13 00:30:43 2022 -0800

    Connecting to db logic added

commit 441daaaa600aef8021f273c8c66404d5283ed83e
Author: fumenoid <fumenoid@gmail.com>
Date:   Sun Feb 13 00:28:16 2022 -0800

    Initial Project.

If we want to investigate these, we can use git checkout <commit_id> and then re-examine main.py or we can use git diff <commit_id> to compare changes from a certain commit to another.

index dfe24c9..161979c 100644
--- a/main.py
+++ b/main.py
@@ -1 +1,49 @@
-print("Hello World\n")
+import mysql.connector
+
+def create_db():
+    mydb = mysql.connector.connect(
+    host="localhost",
+    user="", # Username Goes Here
+    password="" # Password Goes Here
+    )
+
+    mycursor = mydb.cursor()
+
+    mycursor.execute("CREATE DATABASE commited")
+
+

However, doing this is going to be a manual effort, and in a large scale project there are likely hundreds if not thousands of commits to examine. But, there is also one more place we can check for potentially suspicious commit messages, the REFS log.

REFS log

By running git log --reflog we can see a suspicious commit message “Oops”.

...
commit c56c470a2a9dfb5cfbd54cd614a9fdb1644412b5
Author: fumenoid <fumenoid@gmail.com>
Date:   Sun Feb 13 00:46:39 2022 -0800

    Oops

commit 3a8cc16f919b8ac43651d68dceacbb28ebb9b625
Author: fumenoid <fumenoid@gmail.com>
Date:   Sun Feb 13 00:45:14 2022 -0800

    DB check

We know that the “Oops” commit was likely a response to something previously committed, so let’s checkout the commit immediately before

Examining Additional Files

When we checkout the DB check commit, we can see that there are additional files now present in our directory:

ubuntu@thm-comitted:~/commited/commited$ git checkout 3a8cc16f919b8ac43651d68dceacbb28ebb9b625
Note: switching to '3a8cc16f919b8ac43651d68dceacbb28ebb9b625'.
...
HEAD is now at 3a8cc16 DB check
ubuntu@thm-comitted:~/commited/commited$ ls -al
total 24
drwxrwxr-x 3 ubuntu ubuntu 4096 Jul 14 22:31 .
drwxrwxr-x 3 ubuntu ubuntu 4096 Jul 14 22:23 ..
drwxrwxr-x 8 ubuntu ubuntu 4096 Jul 14 22:31 .git
-rw-r--r-- 1 ubuntu ubuntu   83 Jul 14 22:31 Note
-rw-r--r-- 1 ubuntu ubuntu  363 Jul 14 22:31 Readme.md
-rw-r--r-- 1 ubuntu ubuntu 1108 Jul 14 22:31 main.py
ubuntu@thm-comitted:~/commited/commited$ cat Note 
# Branch DBint

This branch is being used to test the code with the mysql server.

What happened?

My assumption is that this scenarior is emulating a developer creating a new git branch to test SQL DB connectivity and accidentally committed this branch rather than switching back to a production branch before pushing patches/changes.

If we cat main.py from here, we can see this commit.

ubuntu@thm-comitted:~/commited/commited$ cat main.py 
import mysql.connector

def create_db():
    mydb = mysql.connector.connect(
    host="localhost",
    user="root", # Username Goes Here
    password="flag{redacted}" # Password Goes Here

Bonus Round: Automating via Script!

I wanted to think of a way of automating going through each commit and checking for the presence of flag. To do this, we first need a way of collecting all of our commit ids. We can leverage awk to extract them:

ubuntu@thm-comitted:~/commited/commited$ git reflog |  awk '{ print $1 }'
4e16af9
3a8cc16
28c3621
4e16af9
28c3621
9ecdc56
4e16af9
c56c470
3a8cc16
6e1ea88
9ecdc56
9ecdc56
26bcf1a
b0eda7d
441daaa

I’ll feed this output via > to a file called commits. The next step is to write bash that will checkout each commit, and grep main.py for flag. I accomplished it via this method (I’m no bash script expert but uh… it works):

#!/bin/bash

while read p; do
	git checkout $p --quiet
	cat main.py | grep -i flag
done < commits

Output:

ubuntu@thm-comitted:~/commited/commited$ ./gotcha.sh 
    password="flag{redacted}" # Password Goes Here
    password="flag{redacted}", #password Goes here
    password="flag{redacted}",
    password="flag{redacted}" # Password Goes Here
    password="flag{redacted}", #password Goes here
    password="flag{redacted}",

If you’d like to try this room, go to HERE. Thanks as always to TryHackMe for providing fun content.

Updated on 2022-07-14
 gitthmcredentials
Back | Home