This is the write up of an easy CTF from https://0x00sec.org/, you can find all the CTFs at the following url: https://ctf.0x00sec.org/challenges

First of all, I analyzed the webpage source by doing ctrl + shift + c or right click and View Page Source.
At the end of the HTML code, I see a comment:

  <!-- TODO: -->
  <!-- * Remove the git directory after publishing -->

Good, this will save us time, since I was about to run a directory bruteforcing.
Accessing https://exercise-1.0x00sec.dev/.git/ directly led me to a 403 Forbidden. But that's okay, since if I try to do reach https://exercise-1.0x00sec.dev/.git/config I can get access to the content of that directory.

Good.

I used git-dumper.py to dump the git repo

./git-dumper.py  https://exercise-1.0x00sec.dev/ ~/ctf/0x00sec/01_git

And navigating in that directory, we find the following files:

  • start.sh
  • index.php

start.sh is just a bash script to run php inside docker, so we're gonna ignore that.
What's interesting is index.php. We're gonna analyze that.

The portion of the code that we're interesting in is the one with authentication.

if (isset($_POST["username"]) && isset($_POST["password"])) {
        if ($_POST["username"] == "admin" && hash('sha256', $_POST["password"]) == "e83176eaefcc1ae8c4a23dbc73ebcf122f26cfb9ba5c7cf4763e96c1c38a6c6c") {
            echo '<h4> '.xor_this(base64_decode("Cl9SEwgSQRVFUA1dAl1dVFkaQF0CWAQUTQ=="), $_POST["password"]).' </h4>';
        } else {
            echo '<h4 class="error"> Incorrect Password :) </h4>';
        }
    } else {
            echo '

    <form class="form-signin" action="/" method="post">
    <h3> 0x00sec Exercise #1 </h3>
      <label for="inputEmail" class="sr-only">Username</label>
      <input type="text" id="inputEmail" name="username" class="form-control" placeholder="Username" required autofocus>
      <label for="inputPassword" class="sr-only">Password</label>
      <input type="password" id="inputPassword" name="password" class="form-control" placeholder="Password" required>
      <button class="btn btn-lg btn-primary btn-block" type="submit">Login</button>
    </form>';
    }

We can see what the username is (admin) and what the password is (e83176eaefcc1ae8c4a23dbc73ebcf122f26cfb9ba5c7cf4763e96c1c38a6c6c), but it's hashed. So I used Jack Hash Finder to crack the hash. Basically I'm gonna look it up in others DBs to see if I can get a result back.

./jhf e83176eaefcc1ae8c4a23dbc73ebcf122f26cfb9ba5c7cf4763e96c1c38a6c6c

We found the password! l33tsupah4x0r. Now we have our credentials: admin:l33tsupah4x0r

Let's try them out:

Bingo!