Time Machine picoCTF 2024 Solution

Published: April 3, 2024

Description

What was I last working on? I remember writing a note to help me remember...

Download the challenge zip, unzip it locally, then change into the drop-in directory.

Ensure git is installed so you can inspect the repository history.

bash
wget https://artifacts.picoctf.net/c_titan/68/challenge.zip && \
unzip challenge.zip && \
cd drop-in/

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
This is a precursor to the Commitment Issues challenge. The Linux command line guide for CTFs covers the basic shell skills used here.
  1. Step 1
    List commit history
    Observation
    I noticed the challenge description said 'I remember writing a note to help me remember,' and the downloaded artifact was a git repository, which suggested the note was stored in a commit message and that git log would reveal the flag in the history.
    git log walks the history newest-first. Each entry has a hash, author, date, and the full commit message; scan the messages for one containing picoCTF{...}.
    bash
    git log
    Output looks like this:
    commit 9f3a... (HEAD -> master)
    Author: ...
    Date:   ...
    
        fix typo
    
    commit 5b2c...
    Author: ...
    Date:   ...
    
        picoCTF{t1m3m@ch1n3_b476...}
    What didn't work first

    Tried: Run git diff or git show to look at file changes instead of commit messages.

    git diff and git show display changes to file contents between commits, not the text of commit messages themselves. The flag in this challenge was embedded in a commit message, so inspecting file diffs returns nothing useful. git log is the correct command because it prints the full message body for every commit.

    Tried: Search for the flag inside files using grep -r 'picoCTF' after unzipping.

    grep -r scans only the working tree - the files currently on disk. The flag was never written to a tracked file; it exists only in a historical commit message stored in the .git/objects directory. grep cannot read git object storage, so the search returns zero results even though the flag is present in the repository.

    Learn more

    git log displays the commit history of a repository in reverse chronological order (newest first). Each entry shows the commit hash, author, date, and the full commit message. In this challenge the flag was accidentally included in a commit message, a surprisingly common real-world mistake.

    Accidental secret exposure in git history is a significant security risk in production codebases. Even if a later commit removes the secret from the files, the original commit stays in history. Truly removing it requires a history rewrite with git filter-repo or BFG Repo Cleaner, followed by a force-push.

    • git log --all includes commits on all branches, not just the current one.
    • git log --grep="picoCTF" filters commits whose messages match a pattern; useful in repos with many commits.
    • GitHub's secret scanning feature automatically flags common patterns (API keys, tokens) pushed to repos, but it cannot alert you to secrets already in history before the feature was enabled.
  2. Step 2
    Read the flag
    Observation
    I noticed that git log output showed a commit message containing the picoCTF{ pattern, which confirmed the flag was embedded there and simply needed to be copied out in full.
    Copy the full commit message that begins with picoCTF{ and ends with }. Verify both braces are present before submitting.
    Learn more

    Finding secrets in git history is a recognized attack vector in red-team and penetration testing engagements. Tools like truffleHog, gitleaks, and git-secrets automate the process of scanning repositories for high-entropy strings and known secret patterns across the entire commit graph.

    This challenge only needs git log; the commit is reachable from HEAD. In more complex scenarios secrets can also live in git stash entries, deleted branches (accessible via git reflog), or orphaned commits that were never merged, all of which retain data even after the working tree looks clean.

    For defenders, the lesson is: treat your git history as public the moment any commit touches a remote. Use pre-commit hooks (e.g., detect-secrets) to block secrets from being committed in the first place, and rotate any credential that has ever appeared in a commit message or diff.

Flag

Reveal flag

picoCTF{t1m3m@ch1n3_b476...}

Key takeaway

Git commit history is permanent until explicitly rewritten; a secret committed in a message or diff remains discoverable via git log even after a later commit removes it from the working tree. Truly removing a secret requires git filter-repo followed by a force-push, and any credential that has ever appeared in a commit must be rotated immediately regardless of subsequent cleanup.

Related reading

Want more picoCTF 2024 writeups?

Useful tools for General Skills

What to try next