Skip to content

Instantly share code, notes, and snippets.

@ky28059

ky28059/1337UP LIVE CTF 2024 Private Github Repository.md

Created November 16, 2024 18:26
Show Gist options
  • Save ky28059/1eef81c26836b44b96856b2c564067ff to your computer and use it in GitHub Desktop.
Save ky28059/1eef81c26836b44b96856b2c564067ff to your computer and use it in GitHub Desktop.
Download ZIP
Raw
1337UP LIVE CTF 2024 Private Github Repository.md

1337UP LIVE CTF 2024 — Private Github Repository

Bob Robizillo created a public instructions for Tiffany, so she can start work on new secret project. can you access the secret repository?

We're not given a whole lot to work with. Howver, googling "Bob Robizillo" nets us this public Gist:

image

Dear Tiffany,

I hope this message finds you well. To streamline our collaboration on the 1337up repository, I kindly ask you to add the enclosed SSH key to your account. This step is crucial for enabling a seamless forking process and enhancing our project efficiency.

Thank you for your prompt attention to this matter.

Best regards, Bob Robizillo

...

Looking through the Gist's revisions, besides some wording changes, nothing else is of note.

image

Plugging the base64 string into CyberChef, we can find that it's an encoded zip file;

image

extracting the zip, we get bob's id_rsa SSH key file. The first thing we can try is cloning bob's repository, 1337up:

kevin@ky28059:/mnt/c/users/kevin/Downloads$ git clone [email protected]:bob-193/1337up.git
Cloning into '1337up'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (3/3), done.

Looking around, though, there isn't very much of interest in there.

kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up$ cat readme.md
Hey, Tiffany! You will need to save this repo in your user space and implement changes we agreed earlier.
kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up$ git log
commit 5f73d374eace947a4fb12a8e81ceb5a8ca849807 (HEAD -> main, origin/main, origin/HEAD)
Author: bob-193 <[email protected]>
Date:   Mon Aug 19 14:04:04 2024 +0300

    init
kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up$ git branch
* main

The key realization here, though, is that you can reverse lookup a GitHub username through an SSH key by connecting to GitHub's servers:

kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up$ ssh -T [email protected]
Hi nitrofany! You've successfully authenticated, but GitHub does not provide shell access.

finally giving us Tiffany's GitHub:

image

Then, we can clone Tiffany's fork of the repo with

kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up$ git clone [email protected]:nitrofany/1337up.git
Cloning into '1337up'...
remote: Enumerating objects: 13, done.
remote: Counting objects: 100% (13/13), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 13 (delta 0), reused 10 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (13/13), done.

There's more of note in this fork, but still nothing with a real flag.

kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ git log
commit 0f2ad0478e2acc0536be49ecefcb5e12cf797228 (HEAD -> main, origin/main, origin/HEAD)
Author: root <[email protected]>
Date:   Mon Aug 19 14:17:45 2024 +0200

    update

commit 5c18888418fd3f2a9d76cfd278b69c1f7c41ba4f
Author: root <[email protected]>
Date:   Mon Aug 19 14:15:57 2024 +0200

    update

commit d127325918e586ed6bfbd7fff94e049378d5694b
Author: root <[email protected]>
Date:   Mon Aug 19 14:14:02 2024 +0200

    update

commit 5f73d374eace947a4fb12a8e81ceb5a8ca849807
Author: bob-193 <[email protected]>
Date:   Mon Aug 19 14:04:04 2024 +0300

    init
kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ ls
config  readme.md
kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ ls -al config
total 0
drwxrwxrwx 1 kevin kevin 4096 Nov 16 02:16 .
drwxrwxrwx 1 kevin kevin 4096 Nov 16 02:16 ..
-rwxrwxrwx 1 kevin kevin   44 Nov 16 02:16 .env
kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ cat config/.env
flag=replace with production INTIGRITI{...}

Still, on one of the commits, we find

kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ git diff 5c188
diff --git a/.gitmodules b/.gitmodules
deleted file mode 100644
index 0f2b51c..0000000
--- a/.gitmodules
+++ /dev/null
@@ -1,3 +0,0 @@
-[submodule "config"]
-       path = config
-       url = https://github.com/nitrofany/01189998819991197253
diff --git a/config/.env b/config/.env
new file mode 100644
index 0000000..1758539
--- /dev/null
+++ b/config/.env
@@ -0,0 +1 @@
+flag=replace with production INTIGRITI{...}

So the last thing we need to do is to clone this submodule.

kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ git clone [email protected]:nitrofany/01189998819991197253
Cloning into '01189998819991197253'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (3/3), done.

Looking inside, we get the flag:

kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up/01189998819991197253$ cat flag.md
# INTIGRITI{9e0121bb8bce15ead3d7f529a81b77b4}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment