picoCTF Solutions
PathPart of the General Skills path · Step 3 of 4: Git and Version Control
picoCTF 2024General SkillsEasy

Time Machine picoCTF 2024 Solution

Published: April 3, 2024

Description

What was I last working on? I remember writing a note to help me remember...

Setup

Download challenge.zip

Download the challenge zip, unzip it locally, then change into the drop-in directory.

Ensure git is installed so you can inspect the repository history.

bash
wget https://artifacts.picoctf.net/c_titan/68/challenge.zip && \
unzip challenge.zip && \
cd drop-in/

Solution

Walk me through it
This is a precursor to the Commitment Issues challenge. The Linux command line guide for CTFs covers the basic shell skills used here.
  1. Step 1List commit history
    git log walks the history newest-first. Each entry has a hash, author, date, and the full commit message; scan the messages for one containing picoCTF{...}.
    bash
    git log
    Output looks like this:
    commit 9f3a... (HEAD -> master)
Author: ...
Date:   ...

    fix typo

commit 5b2c...
Author: ...
Date:   ...

    picoCTF{t1m3m@ch1n3_b476...}
    Learn more

    git log displays the commit history of a repository in reverse chronological order (newest first). Each entry shows the commit hash, author, date, and the full commit message. In this challenge the flag was accidentally included in a commit message, a surprisingly common real-world mistake.

    Accidental secret exposure in git history is a significant security risk in production codebases. Even if a later commit removes the secret from the files, the original commit stays in history. Truly removing it requires a history rewrite with git filter-repo or BFG Repo Cleaner, followed by a force-push.

    • git log --all includes commits on all branches, not just the current one.
    • git log --grep="picoCTF" filters commits whose messages match a pattern; useful in repos with many commits.
    • GitHub's secret scanning feature automatically flags common patterns (API keys, tokens) pushed to repos, but it cannot alert you to secrets already in history before the feature was enabled.
  2. Step 2Read the flag
    Copy the full commit message that begins with picoCTF{ and ends with }. Verify both braces are present before submitting.
    Learn more

    Finding secrets in git history is a recognized attack vector in red-team and penetration testing engagements. Tools like truffleHog, gitleaks, and git-secrets automate the process of scanning repositories for high-entropy strings and known secret patterns across the entire commit graph.

    This challenge only needs git log; the commit is reachable from HEAD. In more complex scenarios secrets can also live in git stash entries, deleted branches (accessible via git reflog), or orphaned commits that were never merged, all of which retain data even after the working tree looks clean.

    For defenders, the lesson is: treat your git history as public the moment any commit touches a remote. Use pre-commit hooks (e.g., detect-secrets) to block secrets from being committed in the first place, and rotate any credential that has ever appeared in a commit message or diff.

Flag

picoCTF{t1m3m@ch1n3_b476...}

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Useful tools for General Skills

Related reading

What to try next