Sunday 21 February 2016

Internetwache CTF 2016 0ldsk00lBlog

Question :

Service : https://0ldsk00lblog.ctf.internetwache.org/

Solution :

As the blog shows that "All people are talking about a tool called 'Git'. I think I might give this a try." , which leaves us a hint and lets check whats in "https://0ldsk00lblog.ctf.internetwache.org/.git/"

"403 Forbidden" , which means directory exists but cannot be accessed.

So now after reading through this wonderful website anyone would understand the git directory structure.

Having said that now , I went through couple of writeups on similar challenges and found a useful tool called dvcs-ripper , which can find us all the commits and check if the directories in .git is accessbile like logs,config,objects etc,.


After firing it up , i got the below listed objects.

objects/14/d58c53d0e70c92a3a0a5d22c6a1c06c4a2d296
objects/db/a52097aba3af2b30ccbc589912ae67dcf5d77b
objects/26/858023dc18a164af9b9f847cbfb23919489ab2
objects/8c/46583a968da7955c13559693b3b8c5e5d5f510
objects/14/d58c53d0e70c92a3a0a5d22c6a1c06c4a2d296
objects/db/a52097aba3af2b30ccbc589912ae67dcf5d77b
objects/26/858023dc18a164af9b9f847cbfb23919489ab2
objects/25/a3f35784188ac1c9bf48a94e5a9c815bcb598c
objects/33/a5c0876603d7a6f9729637f36030bbabb2afa3
objects/95/a5396e62ca5c9577f761ebe969f52d3b6a9235
objects/19/49446afea12e0937044fdabe8cc101c87f7c54
objects/3b/e70be50c04bab8cd5d115da10c3a9c784d6bae
objects/91/f09a7948e02d891d3a39c058a634a8752aba20
objects/75/03402e4d48be951cddda34aae6e01905bb5c98
objects/55/08adb31bf48ae5fe437bdeba60f83982356934

Reading the Object file :

Now, If you see the object files i have listed not categorised to latest to old, hence https://0ldsk00lblog.ctf.internetwache.org/.git/refs/heads/master may give you the SHA-1 "8c46583a968da7955c13559693b3b8c5e5d5f510" , which is the latest commit, But doesnt have the flag.

As I decompressed every object using python and zlib , finally the last object in the list "objects/55/08adb31bf48ae5fe437bdeba60f83982356934" had the flag.



FLAG : IW{G1T_1S_4W3SOME}

No comments:

Post a Comment

enter valid comments.Suggestions are most welcome and would be interested in correcting my mistakes.