← Back to home

LA CTF 2024 — my poor git

My poor git server! I think someone took a hammer to the server and ruined a few of the files!

The git repo is available at /flag.git

poor-git.chall.lac.tf

We're given a git server with repo at /flag.git. Fetching /flag.git/HEAD, we get

Code: 

1ref: refs/heads/main

Unfortunately, just trying naively to clone the repository gives an error:

Code (ps): 

1PS C:\Users\kevin\Downloads> git clone https://poor-git.chall.lac.tf/flag.git
2Cloning into 'flag'...
3remote: error: Could not read b061db539557e1bb4dbcffd936a2d1412eeb1f66
4remote: fatal: Failed to traverse parents of commit c2e6e9737a8a666667b27c3a1dc84a76c8f4dab3
5remote: aborting due to possible repository corruption on the remote side.
6fatal: protocol error: bad pack header

— it looks like these "ruined files" have corrupted parts of the commit tree.

Instead, a big hint lies in the description of the follow-up challenge, "my smart git":

Apparently my poor git server didn't like being called "dumb", so it disabled its dumb capabilities.

Looking it up, it appears that the "dumb" and "smart" protocols are protocols used by Git servers to transfer data between repositories. Following this, we can instead look at /flag.git/info/refs to get the SHA-1 hash of the latest commit on main:

Code: 

1217ecd3c93b00c6b7404473d3bdfcb222a22edf4	refs/heads/main

Now that we have the hash, we can then request /flag.git/objects/21/7ecd3c93b00c6b7404473d3bdfcb222a22edf4 to get the raw object file associated with the commit. Running the file contents through zlib-inflate, we can find the hash of the commit's parent, as well as the associated tree object.

Code: 

1commit 1128[nul]tree b46f24349a27913ddfa5c8a29bc3bcc8d2722358
2parent c2e6e9737a8a666667b27c3a1dc84a76c8f4dab3
3author burturt <31748545+burturt@users.noreply.github.com> 1705793830 -0800
4committer burturt <31748545+burturt@users.noreply.github.com> 1705793830 -0800
5gpgsig -----BEGIN PGP SIGNATURE-----
6 
7 iQIzBAABCAAdFiEES9haaAXoglC6rYp5y1IcUPPMLo8FAmWsWSYACgkQy1IcUPPM
8 Lo+D7xAArOSdQR7brnqMfoeYp5no8DH/GduQ0k8M6EPMaVWG8Muj2yt1rBMJQxy+
9 LQdMHDCEXJIZ/xjqMsSB7wIKd83QjtT2l2dfo8f/s4HibiSe/1legY69jcigbZ7X
10 /k4ghGrp0MKL8o768GcbOVZ/eRhQeSef+X2bCnUD9ITHqmjEUq2f0LBGvLulmSIb
11 jlqEhSfm5bu3PjUyD3sn81oZoL02313FQABGgMNz7NSSP7T0qpfqNhrNvgTvZCao
12 L+yuk3g4iFnVztUIW+QS91+VpTrJZU5fsOd+aLNRkR6ka8ZZOwzuDpKP3gYQ2oyB
13 0pxHQdkQ1imlc1atTCqGvCUERWGzRqfF2hyNRLy008uSY/yR9dPkHVnmq/Y7jL9C
14 CrkjwwqUHk7abCPPIqKS0IA0nwiMFh3ifSxVqcqkchbca6rfTdRiYhoRIIpf4igK
15 RHnSEOE/pmwt4Nd0oHh/QR3x0zoYI3+et7fGAD0yJ/TgakZRqts00XOspkT1ExDv
16 b73vq71qTBwggGzNx92xWvtQEqRXAabnjj9kf5ku7Ff3gfqj0auzLtWmJYvX+b8o
17 cJlZ5OREHrs/M898uP1CWwmkGSv7Jn+ZsMGdE0yxh7SWMPLMoKqnFCy9oEN49IWC
18 RVzOF8yeqNYNsvfDOxGv6PoMch2+M/mu21XzwcU2ku2I4MUp4hs=
19 =uif1
20 -----END PGP SIGNATURE-----
21
22remove flag again uugh

Looking at the tree object at /flag.git/objects/b4/6f24349a27913ddfa5c8a29bc3bcc8d2722358 in cat-file, we get the hash to the blob file with the contents of nothing_here.txt:

Code (ps): 

1PS C:\Users\kevin\Downloads> git cat-file -p b46f24349a27913ddfa5c8a29bc3bcc8d2722358
2100644 blob 9edefc0af031a4fd82fe047ca2abe625abd2b933    nothing_here.txt

Unfortunately, /flag.git/objects/9e/defc0af031a4fd82fe047ca2abe625abd2b933 isn't what we're looking for.

Code: 

1blob 30[nul]there's nothing here, go away

Instead, we can repeat the same process for the commit's parent. Looking at /flag.git/objects/c2/e6e9737a8a666667b27c3a1dc84a76c8f4dab3,

Code: 

1commit 1172[nul]tree 47442ca74fffb4c5d1293fbd7bb0bc048d8fdff4
2parent ac4d7070179f49c03ed06d98c19068cc8e2d74c5
3parent b061db539557e1bb4dbcffd936a2d1412eeb1f66
4author burturt <31748545+burturt@users.noreply.github.com> 1705793796 -0800
5committer burturt <31748545+burturt@users.noreply.github.com> 1705793796 -0800
6gpgsig -----BEGIN PGP SIGNATURE-----
7 
8 iQIzBAABCAAdFiEES9haaAXoglC6rYp5y1IcUPPMLo8FAmWsWQsACgkQy1IcUPPM
9 Lo/WTQ/+NHlgQ/9EPV/6hgdC/ZrzatMEckzxCW7ZByOkDoO0c/69HcarTtXZbR7B
10 ewd1eqUdVRAmfIxzH9wkQptn05lEpJm6waiA6udsFkh2ZiFmdgq66reVXrLpP/4M
11 YBCcpM1i4Z7MLE8u/hJDWE+yogaGBF97nP+sm7NGIkyrrRgf1DwYNxuGsdsOnOtD
12 scbA1/mnRvKQ06I0zKlSmbhjXtkNyMY8fQ9B4nq3JoReIQ+QNCPd6HuU/D83bHVt
13 agFKnBCQE9lNgeMZYuQSnHKA8Vg9GhoMqa7u9sIRZEBtiJJnVcs7o1EvwF9iOF87
14 ZJRRt3rU/BoM4G8i/0g7FnHb2VaTi0UgXe9Vy6QHryje8cUhCxc8WcpU/s6jheid
15 q6BR6oDJxTCZZktz5/DYZzRl7Ekz2dv2d0f9Ie3/gK5Ro4bSAOFV1vTEL2ekDpX2
16 3DVo5//jKuQH9mZQHcSZwI9gvp1oITC6w2NGs+IHLA3L1p7in0WmcMoA6biKRXEb
17 LpLkhQ2+7Qi+8X/e0l1Nuo2KMuL+2Py9JwNmCgMNF65Hv8orpEmw8flc6Jz5bT73
18 o7BDNyzNjo347pMs476jZHnsd7cHXezAPCPzHSuvGgB71uTdNRXOQ8zwWy1j2gS/
19 Pe0QyoNVW5FFvryhe2DEuHTHiQ6f/bpxn/SMicO28v488/78rlU=
20 =tzsP
21 -----END PGP SIGNATURE-----
22
23Merge branch 'fix'

Code (ps): 

1PS C:\Users\kevin\Downloads> git cat-file -p 47442ca74fffb4c5d1293fbd7bb0bc048d8fdff4
2100644 blob 21ffc8efea76d918dc0c5c956ea9d73b51327a8e    flag.txt

Code: 

1blob 20[nul]lactf{not the flag}

Looking at /flag.git/objects/91/fede8498f1ffd14699ec8d7f43f383f3147e64,

Code: 

1commit 1117[nul]tree 4b825dc642cb6eb9a060e54bf8d69288fbee4904
2parent 91fede8498f1ffd14699ec8d7f43f383f3147e64
3author burturt <31748545+burturt@users.noreply.github.com> 1705793793 -0800
4committer burturt <31748545+burturt@users.noreply.github.com> 1705793793 -0800
5gpgsig -----BEGIN PGP SIGNATURE-----
6 
7 iQIzBAABCAAdFiEES9haaAXoglC6rYp5y1IcUPPMLo8FAmWsWQEACgkQy1IcUPPM
8 Lo8GiA/+PR30IZnufwJ+67HIlWJpZ0FxuoM2dttVxy1bVVvOm5k3eyJxQ6Kt69UW
9 dVQSPSZjY7FQBKwBgjANHytATVGNK4PE/SLhfyKyakHBrnx3sueMW9zSDPVlV1xS
10 uGQ4q/2VWsV331aAoBYB8x2VM1809YpcVINrZq3ylv1J7GTNzXVwZWbIjejMq68x
11 5iN8mCpJX6qUfI7pn6uJWNXv8AkX7AQWWD0i+s8D5CBvHpeVeVLrZLO+97oexGMd
12 BXYcfWKyjnHtRzM4OF2OoYJBdEk8QfmMi2g9Zn6IwZmU8HRpQR+TuNJOHHMSZbqh
13 jftQNqBLuGL4o158ejEgptSkf/R3m7F4vVqzcS7SwcfP0QcqpJ/Ra5bJoWuye5Ln
14 R2lE7Y39HK0lxJfcZQddDy824JZUWYPUdBvmLkOkb/z8nt91WWaiRYo7cDyI8KAA
15 HlOyPordSYrOc0Z9iSk13lZ1sDHrunw3kEAd8ayI4PMqdPJNTmdCcSelKbnfLtyA
16 YOcoC3qyhPR5NGeQGebC0caNIFzEsPkmdP639qVF2w+yq9oRgSwgcIPoowoJgIGI
17 YUZlnSwGSqPb/x4nnfvgN7gvNvYOVZo6k1AGubMK8E4Ti2ReiKYuD1gvDrq9g9gc
18 SgtAbJvd+l+skpyzrODGunKMoFT1DiqekrNp9/Iyt1mqcrtYfFE=
19 =U9g5
20 -----END PGP SIGNATURE-----
21
22remove flag

this commit has an empty tree. Looking at /flag.git/objects/91/fede8498f1ffd14699ec8d7f43f383f3147e64,

Code: 

1commit 1135[nul]tree 1ee98dd3a67505c02a1ab4739f1a46a25d116599
2parent e3fde9187ea42af07d95bb3e891b6338738810ab
3author burturt <31748545+burturt@users.noreply.github.com> 1705793666 -0800
4committer burturt <31748545+burturt@users.noreply.github.com> 1705793666 -0800
5gpgsig -----BEGIN PGP SIGNATURE-----
6 
7 iQIzBAABCAAdFiEES9haaAXoglC6rYp5y1IcUPPMLo8FAmWsWIIACgkQy1IcUPPM
8 Lo8IqxAAn8uYimDqV0DjARDRn8F+AqCZ/VylAa2V+QdTcVFe+2yy/R2FidG+MVBf
9 3ol5DXL/EJ7pKcVSqBgsbP7VeGxn5M2T/pJ9l0wftALuTXY4r5Seb5OIy0ekO7bf
10 QmI4KFMyxuXucIDlhNToyrutiZ012v2efFZRw3ouzVA0anlCti+e018ug+1Gnc/W
11 7Y2oeBtuHFjNofSePsj1dAOa9K7RxYLJd3zQ0hqlx2qCrvcrfDSnlVQYRM/hWFmC
12 QqCsvgIu8vK0vNkg1uSfC9RNT7Y3zkdgTx+Q3xslJWskgcB5EWisCeSQFput29Py
13 TLP5p5MDgdHNji3oxjYOOHPErzvgLzL6bkgBB5zqnD5BOAMlWu5HG7XmpKljUwbf
14 mTMjFRgW0Oixw1736FdwUCC9PBaCfyfVjZtGS3JepVxwIBx0W3AvVgaoWK2LH0SS
15 3w6Qaa2SWnr2BJ/mvQpbBtOkTyBsdYzjdjHiV90nTNUMvBFb/Zq2V6synp0GoLRH
16 B11AslvaxHakbPMr9mtGOAUw/6FJFOf6Rhg1eCsUNdpHtZ5igXtn7sU2ngYlhSQK
17 KRME/axtlMaGlLh/VdR69iCyrpleWJtt9l5iRrK9tBlv904Nc6xi6bxqAmThKVet
18 MyOyUaeMToSplgOcLeKXwjzhOsOOwnUgDld1sQjBjPJKXLqQvsY=
19 =vP+C
20 -----END PGP SIGNATURE-----
21
22remove newline at end of file

this tree file doesn't seem to exist. Finally, looking at /flag.git/objects/e3/fde9187ea42af07d95bb3e891b6338738810ab,

Code: 

1commit 1114[nul]tree 75e7c1f3b178941ef76997bc3a9ca19bdc0dda09
2parent fd87b3b95fc02fea268ecea9dce20964b285f50b
3author burturt <31748545+burturt@users.noreply.github.com> 1705793578 -0800
4committer burturt <31748545+burturt@users.noreply.github.com> 1705793578 -0800
5gpgsig -----BEGIN PGP SIGNATURE-----
6 
7 iQIzBAABCAAdFiEES9haaAXoglC6rYp5y1IcUPPMLo8FAmWsWCoACgkQy1IcUPPM
8 Lo+qoA//aHEpF4eedE4gfR+ghdo9qbNIJTJME1hyeS421Z4xZWBZZtX989yVdWDo
9 ryD2eqwvMFJhoZc/Rr5NZnv0D+ozn+qFd3Td6wpQK8d8CeYrD/TmtPsX2ABZD2Nx
10 so2EY+73+YGYtqVHiVlFNjI4IpUb2bkjwPXfonr9N4ZPiVF4eEf08iOVKmWHpvE1
11 Jg3R8EHyZ//osphfPyfoTP8w5FSaO7La/p5HuyXYIYnnZSy6Zqz9YZ5AfPFedpwN
12 1LrOI5hukgXms+LwO8AONNqYJsaDkwNivpmh3EGM/HLICwv8yXiY69E3EopaaTfY
13 lWqZ7GZA9kFkykyfnb+g4wlu/OdfHLtuMLiB++4bPsChVFh1FPOxxL96JOnmA+jh
14 7F3T50guec5z4plaw68vYkiUS0vC1A20qqW0GJLgutSlQDR9s66Wr64I8ltgZCHQ
15 vs8paRHqYrmZt4TM1EgMEvRszSgCEw0p9vGYeF6UuhdWHo1E6ecwpelUzpjUF33k
16 sNvyhdW17l1IAwT5vT1tt93zPJ8edjJ6IKsWmB8hhKzmyrmJnlzr+vMPRP2LZiJX
17 qiFzgWNbdhb+j4v4apvOIpas2oJdX30nhqnTsU8zlz1SfiGf8G1d5RRkacuR3Bxj
18 9eYRlqsxcKvF4z1owMbhmFd2sDhgSVRsN4W5OFqzwF4fjr5QaQY=
19 =O3tj
20 -----END PGP SIGNATURE-----
21
22add flag

Code (ps): 

1PS C:\Users\kevin\Downloads> git cat-file -p 75e7c1f3b178941ef76997bc3a9ca19bdc0dda09
2100644 blob 741fa59ac9ec45f978d799bd88b7290bc304abdd    flag.txt

Code: 

1blob 32[nul]lactf{u51n9_dum8_g17_pr070c01z}

we get the flag.