9447 CTF 2014 - Web 100 - tumorous

How to discover and manually decompress a git object file from a web accessible repository.


This is a write-up about one of the 9447 CTF web challenge. The goal of this challenge was to recover a file from a web accessible git repository.


We are given an URL to an HTML page which suggests that the target is using git. The first thing I check is the existence of a .git folder at the root of the website.


The HTTP request returned "403 Forbidden" it means the directory exists but we can't access it.

Index file

The second step was to download the index file. The index is a binary file containing a sorted list of path names, each with permissions and the SHA1 of a blob object.


By opening the index file with an hexadecimal editor we can see there is a "token" file with the SHA1 0d2fce4623aa8cd8fcaae969c9af4c73e0b4bfe0

Reading the object file

We can download the token object file with the following url.


The last step to get the flag is to decompress the object, one simple way to do it is to use Python and zlib.
python -c "import zlib,sys;print(repr(zlib.decompress(sys.stdin.read())))" < 2fce4623aa8cd8fcaae969c9af4c73e0b4bfe0