Tags: git
Rating:
I started exploring using I've had some experience working through [git plumbing](https://www.git-scm.com/book/en/v2/Git-Internals-Plumbing-and-Porcelain)
commands
```
user@box:/tmp/ob/easy_web$ find .git/objects/ -type f
.git/objects/ba/46709ec62fd916b29f17c5e9fd2fa99b71027c
.git/objects/fa/e323e2976c63f9aab36283ded3a205b02cd8da
.git/objects/cd/50304fc39f8c0fbc7ad062ecb9a940f3baed29
.git/objects/info/packs
.git/objects/pack/pack-358c51ff6239c4616442ad260a7f71391fec6fc2.idx
.git/objects/pack/pack-358c51ff6239c4616442ad260a7f71391fec6fc2.pack
.git/objects/5d/04bb5c39d8821c57d6e109088caefbdfd9660b
.git/objects/26/6f4148e4cf37bdbfb57da379ea49b2f106e6b2
.git/objects/4e/48cb9537172cfcf4174c999ee409ca70139c3d
.git/objects/4e/342ba6d191971197bb40023855b53a0155060b
.git/objects/50/935b0c64743459d3ffdfabb31229af867b949e
.git/objects/8e/497982ba717ee0fe21acd4d6a1beb74be0f90f
.git/objects/87/16dd0de5702371cc61c4627865bcaf16ddb448
```
The pack file sticks out, and I know it can be used to house more git objects
so I found [the documentation](https://www.git-scm.com/book/en/v2/Git-Internals-Packfiles)
which led me to try the `verify-pack` command.
```
user@box:/tmp/ob/easy_web$ git verify-pack -v .git/objects/pack/pack-358c51ff6239c4616442ad260a7f71391fec6fc2.pack
d516014b8de3f20d473f2adca1713337095c7873 commit 217 153 12
f1d1f81fb5444ec4d40736104d682b43611c66f5 commit 217 151 165
98d396f94fb23e9e0fb317aa041ca02691f7ec8b commit 218 156 316
...truncated ...
72e3d57df672e811ef56d4fa993a71da33a1de91 blob 59 67 9622
207cef168362ac985a373f49fdbcf1d29035b6fb tree 64 79 9689 2 91a3b5d486e8cce94c981e459db47a2fa4497e1b
non delta: 59 objects
chain length = 1: 21 objects
chain length = 2: 12 objects
chain length = 3: 5 objects
chain length = 4: 1 object
chain length = 5: 1 object
.git/objects/pack/pack-358c51ff6239c4616442ad260a7f71391fec6fc2.pack: ok
```
I wanted to `cat-file` the hashes and save the output, so I put together a basic script
in python. The script is located in the [full writeup](https://amccormack.net/2019-05-05-obliterated-file-tsg-ctf.html)
`fetch.py` is essentially `git cat-file -p $hash > output/hash`
```
user@box:/tmp/ob/easy_web$ git verify-pack -v .git/objects/pack/pack-358c51ff6239c4616442ad260a7f71391fec6fc2.pack |\
grep -Po '[a-f0-9]{40}'| \
sort|uniq| xargs -I{} python fetch.py {}
```
Then I started grepping through the output:
```
user@box:/tmp/ob/easy_web$ grep -rni flag output/
output/02d365359d84a5d4f4317fa3549fe073a024c502:5:flag = File.open("./flag", "r") do |f|
output/02d365359d84a5d4f4317fa3549fe073a024c502:14: db.exec "INSERT INTO accounts VALUES ('admin', '#{flag}');"
output/6eec6e57cc9eb5aa67f09fb73bdb3b933d7fdded:5:The flag is admin's password.
output/c9319554ea383df062bafa9e96915ffe62136457:3:100644 blob 111eb967d40ae9bc7b2d16bbab7aaac5746ba1dc flag
...
```
```
user@box:/tmp/ob/easy_web$ file output/111eb967d40ae9bc7b2d16bbab7aaac5746ba1dc
output/111eb967d40ae9bc7b2d16bbab7aaac5746ba1dc: zlib compressed data
user@box:/tmp/ob/easy_web$ printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" |cat - output/111eb967d40ae9bc7b2d16bbab7aaac5746ba1dc|gzip -dc
TSGCTF{$_git_update-ref_-d_refs/original/refs/heads/master}
gzip: stdin: unexpected end of file
```
