Information disclosure in version control history

This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator user then log in and delete the user carlos.

Before diving in, let's address the version control history.

Version control is a system that records changes to a file or set of files over time so that you can recall specific versions later. It is commonly used in software development to manage source code, but it can also be applied to other types of files. The purpose of version control is to track changes, collaborate with others, and revert to previous states if necessary.

In this lab, the challenge lies in identifying the version control system data amidst various options such as Git, SVN, Mercurial, and more. Rather than a trial-and-error approach, I opted to use the gobuster tool to systematically explore webapp directories, revealing the presence of a Git repository ("/.git")

➜ gobuster dir -k -u https://0ae3003d03c8b952812a67ce00e3007c.web-security-academy.net/ -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://0ae3003d03c8b952812a67ce00e3007c.web-security-academy.net/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.git                 (Status: 200) [Size: 1201]

Confirming that Git is in use, I employed the git-dumper tool to extract the repository data.

In the "out" directory, where I stored the extracted data, the presence of the ".git" directory was confirmed.

I began navigating through the directories and conducting a search for credentials. Typically, configuration files are a common location for such information, yet this particular repository did not yield any credentials in its configuration files. Subsequently, I shifted focus to explore the Git history (or logs) to ascertain whether any changes had occurred in this repository.

Ah, now it makes sense. Initially, I was examining the latest commit, which had a description indicating the deletion of the admin password. Realizing the need to investigate further, I decided to delve into the details of the previous commits by utilizing the "git show" command.

The administrator password has been successfully revealed! Now, the next step is to log in as the administrator using the obtained credentials and proceed to delete the user "carlos" to successfully solve the lab.

PreviousAuthentication bypass via information disclosureNextAccess Control

Last updated