One of our developers accidentally committed some sensitive code to our GitHub repository. Well, at least, that is what they told us…
Introduction
The challenge room for today is TryHackMe’s Commited room. Forensics is something that I need to work on, although this is less of a forensics room and more of a git knowledge room. More on that soon.
Oh no, not again! One of our developers accidentally committed some sensitive code to our GitHub repository. Well, at least, that is what they told us… the problem is, we don’t remember what or where! Can you track down what we accidentally committed?
The files you need are located in /home/ubuntu/commited on the attached VM to this task.
Question one
Discover the flag in the repository!
Seems like a pretty straightforward challenge. We need to dig into the git commit history and find where sensitive code (the flag) was accidentally included.
I use git for this very site so I’m familiar with a few of the commands.
First thing to do here is to run unzip /home/ubuntu/commited.zip. Then cd into /home/ubuntu/commited/commited/ so we can start digging around. From the introduction of the challenge we know that some code was accidentally committed that contained the flag, but ‘we don’t remember what or where’, implying that we need to hunt through the commits to find the flag.
The first command I ran was git log. This will return a nice overview of commit history for the current branch.
ubuntu@thm-comitted:~/commited/commited$ git log
commit 28c36211be8187d4be04530e340206b856198a84 (HEAD -> master)
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:49:32 2022 -0800
Finished
commit 9ecdc566de145f5c13da74673fa3432773692502
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:40:19 2022 -0800
Database management features added.
commit 26bcf1aa99094bf2fb4c9685b528a55838698fbe
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:32:49 2022 -0800
Create database logic added
commit b0eda7db60a1cb0aea86f053816a1bfb7e2d6c67
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:30:43 2022 -0800
Connecting to db logic added
commit 441daaaa600aef8021f273c8c66404d5283ed83e
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:28:16 2022 -0800
Only five commits to view for now. As a quick sanity check, let’s vieww the main.py file from the latest commit (the one we are on right now):
import mysql.connector
def create_db():
mydb = mysql.connector.connect(
host="localhost",
user="", # Username Goes Here
password="" # Password Goes Here
)
mycursor = mydb.cursor()
mycursor.execute("CREATE DATABASE commited")
def create_tables():
mydb = mysql.connector.connect(
host="localhost",
user="", #username Goes here
password="", #password Goes here
database="commited"
)
mycursor = mydb.cursor()
mycursor.execute("CREATE TABLE customers (name VARCHAR(255), address VARCHAR(255))")
def populate_tables():
mydb = mysql.connector.connect(
host="localhost",
user="",
password="",
database="commited"
)
mycursor = mydb.cursor()
sql = "INSERT INTO customers (name, address) VALUES (%s, %s)"
val = ("John", "Highway 21")
mycursor.execute(sql, val)
mydb.commit()
print(mycursor.rowcount, "record inserted.")
create_db()
create_tables()
populate_tables()
No flags or sensitive information here. Good to check, though.
Time to check the diff’s!
We’ll start with the initial commit and move up the list of commits as seen in the git log output:
ubuntu@thm-comitted:~/commited/commited$ git diff 441daaaa600aef8021f273c8c66404d5283ed83e b0eda7db60a1cb0aea86f053816a1bfb7e2d6c67
diff --git a/main.py b/main.py
index dfe24c9..44f3cb3 100644
--- a/main.py
+++ b/main.py
@@ -1 +1,10 @@
-print("Hello World\n")
+import mysql.connector
+
+mydb = mysql.connector.connect(
+ host="localhost",
+ user="", # Username Goes Here
+ password="" # Password Goes Here
+)
+
+print(mydb)
+
Not really much here. The initial commit was a simple Hello World. With the second commit we can see some logic for connecting to mysql has been added.
Continuing to diff up the list of commits will eventually get us to the most recent. But no flag!
That’s no problem. We can check if there are any other branches:
ubuntu@thm-comitted:~/commited/commited$ git branch -a
dbint
* master
Awesome! Looks like there’s another branch - dbint. Let’s run git log on that branch:
ubuntu@thm-comitted:~/commited/commited$ git checkout dbint
Switched to branch 'dbint'
ubuntu@thm-comitted:~/commited/commited$ git log
commit 4e16af9349ed8eaa4a29decd82a7f1f9886a32db (HEAD -> dbint)
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:48:08 2022 -0800
Reminder Added.
commit c56c470a2a9dfb5cfbd54cd614a9fdb1644412b5
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:46:39 2022 -0800
Oops
commit 3a8cc16f919b8ac43651d68dceacbb28ebb9b625
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:45:14 2022 -0800
DB check
commit 6e1ea88319ae84175bfe953b7791ec695e1ca004
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:43:34 2022 -0800
Note added
commit 9ecdc566de145f5c13da74673fa3432773692502
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:40:19 2022 -0800
Database management features added.
commit 26bcf1aa99094bf2fb4c9685b528a55838698fbe
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:32:49 2022 -0800
Create database logic added
commit b0eda7db60a1cb0aea86f053816a1bfb7e2d6c67
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:30:43 2022 -0800
Connecting to db logic added
commit 441daaaa600aef8021f273c8c66404d5283ed83e
Author: fumenoid <********@*****.****>
Date: Sun Feb 13 00:28:16 2022 -0800
Initial Project.
At this point we could just git diff on every commit like we did previously. If we take a second to look at the commit messages for each of these, it should be pretty obvious which commit contains the flag!
git checkout {suspicious commit id} and cat ./main.py will get you the answer. If you’re not sure which commit is the one with the answer, just try one of them! You should find it pretty quickly.
Conclusion
Nice quick challenge from TryHackMe. I’ve seen that there are other ways to find the flag, but this feels like the more manual way. Using tools is great, but I like to understand how to do something myself before handing it off to a tool.