NSA Codebreaker 2022 Task B2

Description:

It looks like the backend site you discovered has some security features to prevent you from snooping. They must have hidden the login page away somewhere hard to guess.

Analyze the backend site, and find the URL to the login page.

Hint: this group seems a bit sloppy. They might be exposing more than they intend to.

Solution:

As stated in the challenge description, there is an information leak on the website that reveals the path forward. Analyzing the request headers reveals an unusual request header; x-git-commit-hash. This implies that the web developer was using git for version control and may have left the .git directory at the root of the website. This is shown to be true when querying https://jbjlx<redacted>pcxooy.ransommethis.net/.git/ which returns Directory Listing Disabled instead of a 404 error.

The files inside this .git directory can be recovered by using git-dumper. This tool will not only recover the .git folder, but it will also recover all of the website’s source code.

git-dumper https://jbjlx<redacted>pcxooy.ransommethis.net/.git/ source

The source code can now be analyzed to determine how to reach the login page for the website. While analyzing the source, it can be seen that this Python Flask web server is using a path key when checking its routes. The path key can be found in the expected_pathkey() function inside of server.py.

Navigating to https://jbjlx<redacted>pcxooy.ransommethis.net/qschfbjhzihmssyy/login reveals the login page. The path key qschfbjhzihmssyy is the solution to the challenge.