picoCTF Solutions
PathPart of the General Skills path · Step 3 of 4: Git and Version Control
picoCTF 2024General SkillsEasy

Time Machine

Published: April 3, 2024

Description

What was I last working on? I remember writing a note to help me remember...

Setup

Download challenge.zip

Download the challenge zip, unzip it locally, then change into the drop-in directory.

Ensure git is installed so you can inspect the repository history.

wget https://artifacts.picoctf.net/c_titan/68/challenge.zip && \
unzip challenge.zip && \
cd drop-in/

Solution

This is a precursor to the Commitment Issues challenge.
  1. Step 1List commit history
    Run the command to get commit history where an earlier commit has the flag in the commit message.
    git log
    Learn more

    git log displays the commit history of a repository in reverse chronological order (newest first). Each entry shows the commit hash, author, date, and the full commit message. In this challenge the flag was accidentally included in a commit message - a surprisingly common real-world mistake.

    This type of accidental secret exposure in git history is a significant security risk in production codebases. Even if the offending commit is followed by another commit that removes the secret from the files, the original commit remains accessible in history. The only way to truly remove it is a history rewrite with tools like git filter-repo or BFG Repo Cleaner, followed by a force-push.

    • git log --all includes commits on all branches, not just the current one.
    • git log --grep="picoCTF" filters commits whose messages match a pattern - useful in repos with many commits.
    • GitHub's secret scanning feature automatically flags common patterns (API keys, tokens) pushed to repos, but it cannot alert you to secrets already in history before the feature was enabled.
  2. Step 2Read the flag
    Once you spot the commit with picoCTF{...}, copy the message to get the flag.
    Learn more

    Finding secrets in git history is a recognized attack vector in red-team and penetration testing engagements. Tools like truffleHog, gitleaks, and git-secrets automate the process of scanning repositories for high-entropy strings and known secret patterns across the entire commit graph.

    The commit message is not the only place secrets can hide in git history. git stash entries, deleted branches (accessible via git reflog), and orphaned commits that were never merged can all retain sensitive data even after the working tree looks clean.

    For defenders, the lesson is: treat your git history as public the moment any commit touches a remote. Use pre-commit hooks (e.g., detect-secrets) to block secrets from being committed in the first place, and rotate any credential that has ever appeared in a commit message or diff.

Flag

picoCTF{t1m3m@ch1n3_b476...}

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Useful tools for General Skills

Related reading

What to try next