// k3ng
  • 👋
  • 2025
    • Cyber Jawara National 2024
      • Whale
      • Grayscale
      • Log4Shell
  • 2024
    • HTB University CTF 2024: Binary Badlands
      • Apolo
      • Freedom
      • Frontier Exposed
      • Wanter Alive
      • Armaxis
    • TSA Cyber Champion 2024
      • 101 - Forensics
      • eavesdropped
      • 101 - Web Exploitation
    • Cyber Jawara International 2024
      • prepare the tools
      • Sleeper
      • P2PWannabe
    • CTF Hology 7.0
      • give me
      • Books Gallery
    • TCP1P CTF 2024
      • doxxed
      • Lost Progress
    • Gemastik 2024 Finals
      • kode-viewer
Powered by GitBook
On this page
  • Challenge Description
  • Flag
  • Analysis and Solution
  1. 2024
  2. TCP1P CTF 2024

doxxed

Last updated 3 months ago

Challenge Description

I recently forked a public repository on GitHub. After a few days I deleted my repo. However, my friend informed me that he are still able to access one of my commits from that fork which commit 4bxxxxx. Can you figure out how this happened? See the public repo below.

Flag

TCP1P{83fe034b2cfb09deafbb955b03392a083d8f83b2}

Analysis and Solution

We are given a .zip file containing a git repository. From the description, we are supposed to find a commit from a deleted fork. First, we need to find the GitHub URL for this repository. We could find that information from the .git/config file.

From this file, we can conclude that the origin is pointing to [email protected]:notevilcorp/tools.git. This is equivalent to the GitHub URL of https://github.com/notevilcorp/tools.

Based on this blog, we can conclude that the commit from the deleted fork is still stored by GitHub. By supplying the commit hash, we could access said commit. But, we are only supplied with the first two characters of the commit hash.

Based on this Git documentation, Git could identify a commit with only the first four characters of the commit hash, given that there is only one commit hash that starts with that four characters. This means we could brute-force the hash to get the commit.

# bruteforce.py

from itertools import permutations
import requests

for a in '0123456789abcdef':
    lastsha = permutations('0123456789abcdef', 1)
    for _ in lastsha:
        sha = '4b' + a + _[0]
        res = requests.get('https://github.com/notevilcorp/tools/commit/' + sha)
        if res.status_code != 404:
            print(sha)
            exit()

After we use this script, we got a commit hash of 4b15. Therefore we need to go to https://github.com/notevilcorp/tools/commit/4b15 to access the commit from the deleted fork.

Looking at the diff of this commit, this commit adds a file called start.sh containing a command to run a Docker container from the 53buahapel/sup3rsecretools:dev image. Let's look at this docker image on the Docker Hub.

Based on the layers in this image, we can see that there is an exec file that is replacing the default exec executable. Let's extract that file to look into it further. To do that, we could extract the image by using the docker save command and saving the result to a .tar file.

After looking around, the exec executable that we are looking for is on 3ef0ed19552377195b1dddad9b036de38fc2ff4a86ce921016edaae42e00a8d1/layer.tar.

Since this is an executable, let's reverse engineer it using Ghidra.

From the decompilation, we could see that this executable will do a cURL request to https://asciified.thelicato.io/api/v2/ascii?text= and supplying a Base64 string as the text query parameter. Decoding the Base64 string will get us the flag.

Contents of .git/config
Diff of the 4b15 commit
Layers of the Docker image
Running commands to extract the Docker image
Extracting the layer containing the exec executable
Decompilation result of the main() function of the exec executable
Decoding result of the Base64 string