IR 451: Exploiting GitHub Commits (45 pts)

What You Need for This Project

Purpose

To learn how to use git, common security flaws, and how to avoid them.

Creating a GitHub Account

If you already have an account, you can use it.

If not, in a Web browser, go to

https://github.com

Enter your email. Follow the on-screen process to create an account, as shown below.

Installing git

The command-line tool to manage GitHub is "git". Download and install it here:

https://git-scm.com/downloads

Setting your Name and Email Address

Execute these commands, inserting he name and email you used to log into GitHub as indicated:

git config --global user.name your-name
git config --global user.email your-email

Creating a Folder and Files

In a Command Prompt or Terminal, execute these commands:

mkdir testr
cd testr
echo A > FileA.txt
echo B > FileB.txt
To see the contents of the folder, execute this command:

ls -al
You see the two files "FileA.txt" and "FileB.txt", as well as the two system-generated files "." and "..", as shown below.

Initializing a Git Repository

Execute these commands:

git init
git status
This creates a ".git" directory, but it does not add the files to it, as shown below.

Staging and Committing Files

We'll add all the files to the repository, and "commit" them with the message "First Commit".

Execute these commands:


git add -A
git status
git commit -m "First Commit"
git status
This adds the files to your local git repository, as shown below.

Creating a GitHub Repository

In a Web browser, go to

https://github.com

Log in to GitHub, if you haven't already.

Click the green New button, as shown below.

Name your repository testr, as shown below.

Accept the default values and, at the bottom, click the green "Create repository" button.

The next page shows the URL of your repository, outlined in red in the image below. Copy this URL to the clipboard.

Pushing Changes to the GitHub Repository

In your Terminal or Command Prompt window, execute this command, replacing the URL with the URL you just copied:

git push https://github.com/cnit123e/testr.git master
Enter your username and password when you are prompted to.

This uploads the files to GitHub, as shown below.

Viewing the Files on GitHub

Refresh the GitHub page.

The files appear, as shown below.

Creating a File with Secrets

Now let's create a security problem. We'll add a file with non-public information to the repository, commit it, and push it up.

Execute these commands, replacing the URL with the URL of your repository.


echo SECRETS > secrets.txt
git add -A
git commit -m "Second commit"
git push https://github.com/cnit123e/testr.git master
The files are uploaded, as shown below.

Viewing the Files on GitHub

Refresh the GitHub page.

The secrets.txt file appears, as shown below.

Click secrets.txt to see its contents.

This is bad--that file is visible to anyone, since this is a default Public repository.

Removing the File

Execute these commands, replacing the URL with the URL of your repository.

rm secrets.txt
git add -A
git commit -m "Third commit"
git push https://github.com/cnit123e/testr.git master
The files are uploaded, as shown below.

Viewing the Files on GitHub

In your browser, click the Back button.

Refresh the GitHub page.

The secrets.txt file is gone, as shown below.

This appears to have fixed the problem, but it hasn't, because that file can still be retrieved from GitHub.

Retrieving Old Versions from GitHub

Execute these commands, replacing the URL with the URL of your repository:

cd
mkdir testr2
cd testr2
git clone https://github.com/cnit123e/testr.git
cd testr
git log
You see the three commits, named "Third commit", "Second commit", and "First commit", as shown below.

Highlight the hash value of the "Second commit", outlined in red in the image above, and copy it to the clipboard.

Execute these commands, replacing the hash value with the hash value you just copied:


q
git checkout 5dcf1a0372bc5b0b517faaecf8e65aff5cf652a1
ls
cat secrets.txt
The secret file is revealed, as shown below.

IR 450.1: State (10 pts)

The flag is covered by a green rectangle in the image below.

Cleaning the Repository

Getting Java

To do this, you need java. To see if you have java, in a Terminal, execute this command:

java --version
If you see a version number, as shown below, you have Java.

If you need to install Java, see Oracle's mind-boggling instructions here:

https://docs.oracle.com/en/java/javase/15/install/installation-jdk-macos.html#GUID-2FE451B0-9572-4E38-A1A5-568B77B146DE

Getting BFG Repo-Cleaner

In a browser, go to

https://rtyley.github.io/bfg-repo-cleaner/

Click the "Download v1.13.0" button, as shown below.

Then delete the secrets.txt file from all commits in your repository with these commands, replacing the URL with the URL of your repository:


cd
cd Downloads
git clone --mirror https://github.com/cnit123e/testr.git
java -jar bfg-1.13.0.jar --delete-files secrets.txt testr.git
cd testr.git
git reflog expire --expire=now --all
git gc --prune=now --aggressive
git push

IR 450.2: Update (10 pts)

The flag is covered by a green rectangle in the image below.

Retrieving The Second Commit Again from GitHub

To see if it worked, execute these commands, replacing the URL with the URL of your repository:

cd
mkdir testr3
cd testr3
git clone https://github.com/cnit123e/testr.git
cd testr
git log
Find the hash for the "Second commit" and use it in the appropriate command below.

git checkout e88cb745e3627dd005ba1a03ab700bb8bfad9edc
ls
The secrets.txt file is gone, as shown below.

IR 450.3-5: Hidden Flags (25 pts)

Find flags in this repository:

https://github.com/cnit123e/challenge.git
  • IR 450.3: ART FLAG (10 pts)
  • IR 450.4: WEAK FLAG (10 pts)
  • IR 450.5: SUPER FLAG (15 pts)
Hint: this may help.

Sources

‘Git’ting Ahead: Hacking Git and GitHub Part 1
git pushes with wrong user from terminal
git - getting ALL previous version of a specific file/folder
BFG Repo-Cleaner

Posted 11-18-20