Information disclosure in version control history
https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-version-control-history
Last updated
https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-version-control-history
Last updated
This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator
user then log in and delete the user carlos
.
Adding .git
we obtain a version control history:
https://0afe00be03be902083195529004100e5.web-security-academy.net/.git
Deep dive to each dir/file to check if there're some interesting data:
https://0afe00be03be902083195529004100e5.web-security-academy.net/.git/HEAD
https://0afe00be03be902083195529004100e5.web-security-academy.net/.git/config
https://0afe00be03be902083195529004100e5.web-security-academy.net/.git/COMMIT_EDITMSG
In the 'Head' page there's a potential path, trying to go there: /refs/heads/master
there's an alphanumeric string:
and remembering COMMIT_EDITMSG page and searching into others directories, theres a great info into: /logs/HEAD
https://0afe00be03be902083195529004100e5.web-security-academy.net/.git/logs/HEAD
https://0afe00be03be902083195529004100e5.web-security-academy.net/.git/index
Downloading and opening index file there're an encoded text in hex:
that in clear text contains interesting data:
admin.conf
admin_panel.php
Adding those paths, I've not found a solution, so i decided to download the entire git directories and use a dedicated tool.
Download Git Dir: wget -r https://0afe00be03be902083195529004100e5.web-security-academy.net/.git
Now we've download all git files locally, so go there to investigate well (cd ~/Documents/0a2000e40417d00885e2135600ed00cb.web-security-academy.net/.git
), files are hidden by default, so we can see them using the flag -h (ls -lah
).
It seems the same thing, so we can try to use git commands to check logs: git log
Great, only now i've undestand that those values were about git commits, so the first one seems more interesting, explore it using git show command:
git show e06350084adb1d7a44eef13faf0a9cd6cac55bd5
and finally we obtain the admin password value!
Awesome, now we can login us as administrator (administrator::bohd9ui3rn3yqzgsktq1
)
go to admin portal page:
https://0a3f00cb040ae66c819d1b8e00a700ea.web-security-academy.net/admin
and delete 'Carlos' user completing the lab.