← Back to home

1337UP LIVE CTF 2024 — Private Github Repository

Bob Robizillo created a public instructions for Tiffany, so she can start work on new secret project. can you access the secret repository?

We're not given a whole lot to work with. Howver, googling "Bob Robizillo" nets us this public Gist:

image

Dear Tiffany,

I hope this message finds you well. To streamline our collaboration on the 1337up repository, I kindly ask you to add the enclosed SSH key to your account. This step is crucial for enabling a seamless forking process and enhancing our project efficiency.

Thank you for your prompt attention to this matter.

Best regards, Bob Robizillo

...

Looking through the Gist's revisions, besides some wording changes, nothing else is of note.

image

Plugging the base64 string into CyberChef, we can find that it's an encoded zip file;

image

extracting the zip, we get bob's id_rsa SSH key file. The first thing we can try is cloning bob's repository, 1337up:

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads$ git clone git@github.com:bob-193/1337up.git
2Cloning into '1337up'...
3remote: Enumerating objects: 3, done.
4remote: Counting objects: 100% (3/3), done.
5remote: Compressing objects: 100% (2/2), done.
6remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
7Receiving objects: 100% (3/3), done.

Looking around, though, there isn't very much of interest in there.

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up$ cat readme.md
2Hey, Tiffany! You will need to save this repo in your user space and implement changes we agreed earlier.

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up$ git log
2commit 5f73d374eace947a4fb12a8e81ceb5a8ca849807 (HEAD -> main, origin/main, origin/HEAD)
3Author: bob-193 <148455791+bob-193@users.noreply.github.com>
4Date:   Mon Aug 19 14:04:04 2024 +0300
5
6    init

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up$ git branch
2* main

The key realization here, though, is that you can reverse lookup a GitHub username through an SSH key by connecting to GitHub's servers:

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up$ ssh -T git@github.com
2Hi nitrofany! You've successfully authenticated, but GitHub does not provide shell access.

finally giving us Tiffany's GitHub:

image

Then, we can clone Tiffany's fork of the repo with

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up$ git clone git@github.com:nitrofany/1337up.git
2Cloning into '1337up'...
3remote: Enumerating objects: 13, done.
4remote: Counting objects: 100% (13/13), done.
5remote: Compressing objects: 100% (9/9), done.
6remote: Total 13 (delta 0), reused 10 (delta 0), pack-reused 0 (from 0)
7Receiving objects: 100% (13/13), done.

There's more of note in this fork, but still nothing with a real flag.

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ git log
2commit 0f2ad0478e2acc0536be49ecefcb5e12cf797228 (HEAD -> main, origin/main, origin/HEAD)
3Author: root <root@vmi1519856.contaboserver.net>
4Date:   Mon Aug 19 14:17:45 2024 +0200
5
6    update
7
8commit 5c18888418fd3f2a9d76cfd278b69c1f7c41ba4f
9Author: root <root@vmi1519856.contaboserver.net>
10Date:   Mon Aug 19 14:15:57 2024 +0200
11
12    update
13
14commit d127325918e586ed6bfbd7fff94e049378d5694b
15Author: root <root@vmi1519856.contaboserver.net>
16Date:   Mon Aug 19 14:14:02 2024 +0200
17
18    update
19
20commit 5f73d374eace947a4fb12a8e81ceb5a8ca849807
21Author: bob-193 <148455791+bob-193@users.noreply.github.com>
22Date:   Mon Aug 19 14:04:04 2024 +0300
23
24    init

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ ls
2config  readme.md

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ ls -al config
2total 0
3drwxrwxrwx 1 kevin kevin 4096 Nov 16 02:16 .
4drwxrwxrwx 1 kevin kevin 4096 Nov 16 02:16 ..
5-rwxrwxrwx 1 kevin kevin   44 Nov 16 02:16 .env

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ cat config/.env
2flag=replace with production INTIGRITI{...}

Still, on one of the commits, we find

Code (diff): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ git diff 5c188
2diff --git a/.gitmodules b/.gitmodules
3deleted file mode 100644
4index 0f2b51c..0000000
5--- a/.gitmodules
6+++ /dev/null
7@@ -1,3 +0,0 @@
8-[submodule "config"]
9-       path = config
10-       url = https://github.com/nitrofany/01189998819991197253
11diff --git a/config/.env b/config/.env
12new file mode 100644
13index 0000000..1758539
14--- /dev/null
15+++ b/config/.env
16@@ -0,0 +1 @@
17+flag=replace with production INTIGRITI{...}

So the last thing we need to do is to clone this submodule.

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up$ git clone git@github.com:nitrofany/01189998819991197253
2Cloning into '01189998819991197253'...
3remote: Enumerating objects: 3, done.
4remote: Counting objects: 100% (3/3), done.
5remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
6Receiving objects: 100% (3/3), done.

Looking inside, we get the flag:

Code (bash): 

1kevin@ky28059:/mnt/c/users/kevin/Downloads/1337up/1337up/01189998819991197253$ cat flag.md
2# INTIGRITI{9e0121bb8bce15ead3d7f529a81b77b4}