Forensics
Obliterated File
Working on making a problem of TSG CTF, I noticed that I have staged and committed the flag file by mistake before I knew it. I googled and found the following commands, so Iβm not sure but anyway typed them. It should be ok, right?
$ git filter-branch --index-filter "git rm -f --ignore-unmatch problem/flag" --prune-empty -- --all
$ git reflog expire --expire=now --all
$ git gc --aggressive --prune=now
Attachment:problem.zip
The archive contained a Git repo, for which the history was mangled but the commit objects might still have been there. A rather ugly one liner can help us sift through every commit regarding the βflagβ file:
$ for commit in $(git rev-list --parents HEAD); do if git rev-list "$commit~1" &>/dev/null; then git --no-pager diff --name-status "$commit" "$commit~1"; fi; done | grep flag
Luckily enough that filename actually existed, so tracking its history and reverting to the moment it was added is trivial:
$ git log --full-history -- flag
$ git checkout 84128ed70713706bef35805b2a097c1e5b493277
Peeking at the code in the repo and running file on the retrieved data reveals that the flag is in fact a ZLib archive:
require "./src/*"
require "sqlite3"
require "zlib"
flag = File.open("./flag", "r") do |f|
Zlib::Reader.open(f) do |inflate|
inflate.gets_to_end
end
end
`rm -rf data.db`
DB.open "sqlite3://./data.db" do |db|
db.exec "CREATE TABLE accounts (id text primary key, pass text);"
db.exec "INSERT INTO accounts VALUES ('admin', '#{flag}');"
end
Kemal::Session.config.secret = ENV["session_secret"]
Kemal.run
$ file ./flag
flag: zlib compressed data
Uncompressing it is just a matter of having the right utils at hand:
$ zlib-flate -uncompress < flag
π TSGCTF{$_git_update-ref_-d_refs/original/refs/heads/master}
Note: this challenge was patched throughout the event, making this exact solution unfeasible but not invalidating the approach: given the low number of commits, they could all be analyzed one by one to extract the removed flag file.