Author: Yadhu Krishna
Upon opening the challenge, we are greeted with a login page and the credentials are not given. However, the given hint leads us to
.git directory at
Now we have a fully accessible
.git directory. The exposed directory can be recursively cloned using
This command clones all the files in the .git directory to local computer. This cloned directory is a valid git directory and contains all the information about commits, history, remote repository address, etc.
Upon checking the status of the repository using
git status command, we find that
index.php has been deleted. The deleted
index.php file can be restored with
git restore command.
We can now find the username from
index.php, however, the password appears to be hashed.
Upon checking the commit history with
git log command, we find there are 3 commits.
We see that there is a commit with ID
8c722b69146bcdca516488e17a76447e44132c7a that mentions about a security issue that was fixed.
We can revert back to the first commit using
git checkout 6e672df7e870349b61df637122b0871816d612f2 command. (Note that the ID given is that of the first commit.)
Now let us check the source code of
index.php. This gives us the username and password of the application.
Upon logging in with these credentials, we get the flag.