Firstly I stumbled upon a website with a /robots.txt file that revealed a .git
directory.

Using the git-dumper tool, I was able to download all the directories and
access the commits, logs, and branches in the .git.

However, analyzing the source code of the index file revealed a few
interesting files, including /login.php and /admin.php.

After trying some LFI techniques on the PHP code, I was able to extract the
source code of /login.php by encoding it in base64.

Now that we have LFI and can filter the source code, let’s analyze the other
files in the previously dumped .git. First, let’s take a look at the exposed
database, where we found the password and key for the administrator user.

In admin.php, a check is performed to verify if the user’s auth_token
corresponds to the administrator user or not.

Further analyzing the PHP code, I discovered a variable called Secret_Key,
which seemed to be used to verify the admin’s credentials.

The MD5 of the secret key concatenated with the first position of the token is
equal to the second part of the token. This is how the application signs the
token. Therefore, we need to filter the Secret_Key used by the application. By
accessing the config.php file using LFI, I was able to extract the Secret_Key.

With this information, I was able to create a cookie for the admin that
contained the user_key I found in the database

Combining this with the md5 hash of the Secret_Key and a JSON string in base64
format, I was able to generate a valid authentication cookie for the admin and
gain access to /admin.php.

So now we can access to the admin panel and get the flag.

Original writeup (https://medium.com/@josewice7/information-disclosure-to-
gain-admin-access-5ec23373a516).