Bithug picoCTF 2021 Solution

Description

1. Step 1Create an account and explore the service
   Register a user account on the Bithug service. Explore the repository listing, user profiles, and any administrative pages. Look for IDOR vulnerabilities by modifying numeric IDs in URLs.
   Learn more

   IDOR (Insecure Direct Object Reference) occurs when an application exposes internal implementation objects (database IDs, file paths, etc.) in URLs or parameters without proper authorization checks. By changing /repo/1 to /repo/2, you might access another user's private repository.

   On a git hosting service, explore: repository listings (/repos), individual repos (/user/repo), commits (/user/repo/commits), raw file access (/user/repo/raw/branch/path), and admin panels (/admin, /admin/users).

2. Step 2Probe the admin namespace before assuming a path
   Walk /admin/, /admin/repos/, and the git smart-HTTP refs endpoints. ../ sequences in repository paths are also worth trying if the server doesn't normalize.
   bash

   # Probe the admin tree

   Copied!

   bash

   curl -s -u user:pass http://mercury.picoctf.net:<PORT_FROM_INSTANCE>/admin/

   Copied!

   bash

   curl -s -u user:pass http://mercury.picoctf.net:<PORT_FROM_INSTANCE>/admin/repos/

   Copied!

   bash

   # Smart HTTP negotiation (any reachable repo's path)

   Copied!

   bash

   curl -s -u user:pass 'http://mercury.picoctf.net:<PORT_FROM_INSTANCE>/admin/flag.git/info/refs?service=git-upload-pack'

   Copied!

   bash

   # Once you know the path, clone with git

   Copied!

   bash

   git clone http://user:pass@mercury.picoctf.net:<PORT_FROM_INSTANCE>/admin/flag.git

   Copied!
   Learn more

   Git smart HTTP, briefly. A git server speaks two endpoints per repo: GET /repo.git/info/refs?service=git-upload-pack for the ref-advertising negotiation, and POST /repo.git/git-upload-pack for the pack transfer. Hitting info/refs for a repo you don't own is the cheapest probe: a 200 with refs means the auth check is missing, a 401 means it's enforced. Path traversal in the repo segment (e.g. /yourname/../admin/flag.git/info/refs) sometimes slips past per-user authorization that's keyed on the URL prefix rather than the resolved repo.

   Git hosting IDOR scenarios:

   • A private admin repository is accessible to all users if the authorization check is missing
   • The git clone URL accepts relative paths that escape the intended repository directory
   • File read endpoints don't check repository ownership before returning file contents
   • A poorly implemented fork or star feature creates a public reference to a private repository's commit hash
3. Step 3Clone or access the flag repository
   Once you identify the vulnerable endpoint, use curl or git to retrieve the flag. Try accessing the admin's repositories or any repository named 'flag'.
   bash

   git clone http://your_user:your_pass@mercury.picoctf.net:<PORT_FROM_INSTANCE>/admin/flag.git

   Copied!

   bash

   cat flag.git/flag.txt

   Copied!

   bash

   # Or use the web interface to browse repository contents

   Copied!
   Learn more

   If the service uses git's smart HTTP protocol, the endpoint /user/repo.git/info/refs?service=git-upload-pack is part of the git protocol negotiation. A path traversal here (e.g., /../admin/flag.git/info/refs) might allow cloning unauthorized repositories. Test with git and check if standard git protocol requests succeed. For a tour of the broader bug class this lives in, see web challenge bug patterns.

Flag

Bithug demonstrates IDOR and insufficient authorization checks in a git hosting service - accessing another user's private repository by manipulating URL parameters or bypassing access controls reveals the flag.