Writeup 9447 – bashful

Writeup by Florian@Brutewoorse

Challenge Name:  bashful

Value: 101 points

In this challenge we got a simple index.html file containing the following information

13/2/2004: I learned how to html, yay!
12/4/2004: I learned how to use git, yay!
13/4/2004: Hidden my ‘repository’ so people can’t access it. I have a feeling I will need to protect something soon.
08/9/2004: Forged a token from the whispering iron. It is very dear to me, I should protect it.
10/9/2004: I put my token in a text file to protect it from alien mind readers from planet Zblaargh.
10/9/2004: I can’t forget my token. What do I do? I should also pack so I’m ready to leave soon.
11/9/2004: I panicked and deleted the token. It is the work of evil doers.
12/9/2004: My token is lost. My life has no meaning now. I’m going to watch Louie season 4.

I highlighted some important sentences and started to search for a hidden repository on the server.

By appending /.git on the URL we got a directory listening archive from the internal git structure.
I browsed through all folders and found the file /.git/objects/pack/pack-deff83d57714493c6d317394f3542da8e396f887.pack
Git uses this pack file to compress all objects, which are for example commits.
At my workstation I initialized a repo with git init, downloaded the .pack and .idx file in a subfolder of my git root folder and executed the command

git unpack-objects <  pack-deff83d57714493c6d317394f3542da8e396f887.pack

I got the feedback “Unpacking objects: 100% (4/4), done.” and can see some new folders in my local /.git/objects
These objects are compressed with zlib.
By uncompressing the 4 files in the 4 new created folders I can see the content of each commit.