CTF Writeups
WebsiteDiscordSocials..
  • CryptoCat's CTF writeups
  • 2025
    • Tsuku
      • Web
        • len_len
        • Flash
        • YAMLwaf
    • CTF@CIT
      • Web
        • Breaking Authentication
        • Commit & Order: Version Control Unit
        • How I Parsed your JSON
        • Mr. Chatbot
        • Keeping Up with the Credentials
  • 2024
    • CryptoCat
      • Summar-AI-ze
    • Intigriti
      • Warmup
        • BabyFlow
        • In Plain Sight
        • IrrORversible
        • Layers
        • Rigged Slot Machine 1
      • Game
        • Bug Squash 1
        • Bug Squash 2
      • Rev
        • Secure Bank
      • Web
        • Biocorp
        • Cat Club
        • Pizza Paradise
        • SafeNotes 2.0
      • Misc
        • Quick Recovery
        • Triage Bot 2
      • Pwn
        • Floormat Sale
        • Retro2Win
        • Rigged Slot Machine 2
        • UAP
      • Crypto
        • Schrodinger's Pad
      • Mobile
        • Cold Storage
      • OSINT
        • No Comment
        • Trackdown
        • Trackdown 2
      • Forensics
        • CTF Mind Tricks
        • Hoarded Flag
        • Password Management
    • CSAW
      • Web
        • Playing on the Backcourts
        • Log Me In
        • Lost Pyramid
        • BucketWars
    • CyberSpace
      • Web
        • Feature Unlocked
    • UIU
      • Web
        • Fare Evasion
        • Log Action
    • Wani
      • Web
        • Bad Worker
        • PoW
        • One Day One Letter
    • Akasec
      • Web
    • HTB Cyber Apocalypse
      • Web
        • Flag Command
        • TimeKORP
        • KORP Terminal
        • Labyrinth Linguist
        • Locktalk
        • SerialFlow
        • Testimonial
  • 2023
    • Intigriti
      • Gamepwn
        • Dark Secrets
      • Misc
        • Triage Bot
      • OSINT
        • Photographs
      • Pwn
        • Floormat Store
      • Web
        • Bug Report Repo
        • My Music
    • Imaginary
      • Web
        • Blank
        • IDORiot
        • Inspection
        • Login
        • Perfect Picture
        • Roks
    • Google
      • Pwn
        • Write-Flag-Where
    • Cyber Apocalypse
      • AI
        • Last Hope
        • Mysterious Learning
      • Crypto
        • Perfect Synchronization
      • Pwn
        • Getting Started
        • Labyrinth
        • Pandora's Box
        • Void
      • Rev
        • Cave System
        • Hunting License
        • Needle in a Haystack
        • Shattered Tablet
        • She Sells Sea Shells
    • Sekai
      • Rev
        • Azusawa's Gacha World
    • Amateurs
      • Web
        • Sanity
        • Waiting an Eternity
    • NahamCon
      • Web
        • Hidden Figures
        • Marmalade 5
        • Obligatory
        • Star Wars
        • Stickers
    • Angstrom
      • Pwn
        • Leek
  • 2022
    • Imaginary (iCTF)
      • Crypto
        • ASE
      • Pwn
        • Links 1
        • Links 2
        • Links 3
        • Open Doors
    • SEETF
      • Pwn
        • 4mats
        • Easy Overflow
      • Rev
        • BabyReeee
      • Web
        • Super-Secure-Requests-Forwarder
    • HTB Cyber Apocalypse
      • Pwn
        • Hellbound
    • Angstrom
      • Pwn
        • Really Obnoxious Problem
        • Wah
        • Whats My Name
        • Where Am I
      • Web
        • Crumbs
        • Xtra Salty Sardines
    • NahamCon
      • Pwn
        • Baby Steps
      • Web
        • Flaskmetal Alchemist
        • Hacker Ts
        • Two for One
    • Pico
      • Forensics
        • Side Channel
      • Pwn
        • Buffer Overflow 1
        • Buffer Overflow 2
        • Buffer Overflow 3
        • Flag Leak
        • Function Overwrite
        • ROPfu
        • RPS
        • Stack Cache
        • Wine
        • X-Sixty-What
      • Rev
        • Wizardlike
      • Web
        • Noted
    • Space Heroes
      • Pwn
        • Vader
      • Web
        • Flag in Space
    • Intigriti
      • Pwn
        • Bird
        • Cake
        • Easy Register
        • Search Engine
    • Dice
      • Pwn
        • Interview Opportunity
  • 2021
    • Pico
      • Pwn
        • Unsubscriptions Are Free
    • Crusaders of Rust (COR)
      • Crypto
        • Fibinary
      • Pwn
        • Chainblock
    • HTB Cyber Santa
      • Crypto
        • Meet Me Halfway
        • Xmas Spirit
      • Pwn
        • Minimelfistic
        • Mr. Snowy
        • Naughty List
        • Sleigh
      • Rev
        • Infiltration
        • Intercept
    • K3rn3l
      • Crypto
        • Badseed
        • Twizzty Buzzinezz
    • HTB x Synack RedTeamFive
      • Misc
        • Context
        • Hotel
      • Pwn
        • Air Supplies
        • Injection Shot
        • Library
        • Recruitment
      • Rev
        • Knock Knock
        • Split
    • KillerQueen
      • Pwn
        • A Kind of Magic
        • Tweety Birb
        • Zoom2Win
    • HacktivityCon
      • Pwn
        • Retcheck
        • The Library
        • Yabo
      • Web
        • Availability
    • CSAW
      • Pwn
        • Alien Math
        • Password Checker
      • Rev
        • Checker
    • HackyHolidays
      • Crypto
        • Cute Invoice
        • Mineslazer
      • Forensics
        • Injection Traffic
        • Power Snacks
      • Pwn
        • Deleted Flag
        • Engine Control
      • Web
        • Skylark
    • HTB Cyber Apocalypse
      • Crypto
        • Phasestream
      • Misc
        • Alien Camp
        • Build Yourself In
      • Pwn
        • Controller
        • System Drop
      • Web
        • Blitzprop
        • E-Tree
        • Wild Goose Hunt
    • Angstrom
      • Pwn
        • Sanity Checks
        • Secure Login
        • Sticky Stacks
        • Tranquil
      • Rev
        • Free Flags
        • Jailbreak
      • Web
        • Jar
Powered by GitBook
On this page
  • Description
  • Solution
  1. 2025
  2. CTF@CIT
  3. Web

Commit & Order: Version Control Unit

Writeup for Commit & Order - Version Control Unit (Web) - CTF@CIT CTF (2025) 💜

PreviousBreaking AuthenticationNextHow I Parsed your JSON

Last updated 5 days ago

Description

In software development, the repository is represented by two separate yet equally important branches...

Solution

Another PHP login page. Test for SQLi again, thankfully not a repeat of the first challenge 😁

Description hints at git, so we can check http://23.179.17.40:58002/.git/

It returns a Forbidden page, meaning that it exists but we cant access it. Time to check out the tool! It takes the URL and directory to dump to.

git-dumper http://23.179.17.40:58002/.git/ .

It downloads the git repo, now we can check the log.

git log

commit 7c8c6a8e434cb23aa9c9dac0ce715e928016849a (HEAD -> master)
Author: webmaster <webmaster@ctf.cyber-cit.club>
Date:   Fri Apr 18 12:39:59 2025 -0400

    I think we're good for now

commit 9b8bf13600c17ba7cbbc9ac7dcffaebd36b16b36
Author: webmaster <webmaster@ctf.cyber-cit.club>
Date:   Fri Apr 18 12:39:06 2025 -0400

    changed it again

commit 68f8fcdbebcca3c8fda1e91fcb842992d09a41d4
Author: webmaster <webmaster@ctf.cyber-cit.club>
Date:   Fri Apr 18 12:34:30 2025 -0400

    putting chatgpt to work

commit 247b12483ba3a6a8d177fdd9d74416a01eb61512
Author: webmaster <webmaster@ctf.cyber-cit.club>
Date:   Fri Apr 18 12:30:08 2025 -0400

    updated some more

commit ca9517713391aca6f5073758effa47c33d3be6b4
Author: webmaster <webmaster@ctf.cyber-cit.club>
Date:   Fri Apr 18 12:26:52 2025 -0400

    updated admin page

commit 0e775315a623ed96d9b0b53e6ffb69dd06b93902
Author: webmaster <webmaster@ctf.cyber-cit.club>
Date:   Fri Apr 18 12:18:13 2025 -0400

    first commit

Hmmm "putting chatgpt to work"? Sounds like somebody has been vibe coding! Let's do a diff.

git diff 68f8fcdbebcca3c8fda1e91fcb842992d09a41d4

+  <h1>Admin Panel</h1>

-  <div class="main-content">
-    <div class="warning-banner">
-      <svg width="24" height="24" fill="currentColor" viewBox="0 0 24 24">
-        <path d="M1 21h22L12 2 1 21zm12-3h-2v2h2v-2zm0-8h-2v6h2v-6z" />
-      </svg>
-      This admin panel is under construction. No actual functionality is available yet. But here, have this: Q0lUezVkODFmNzc0M2Y0YmMyYWJ9
-    </div>
+  <div class="container">
+    <p>This admin page is under construction and currently has no functionality.</p>

Looks like a base64 encoded message, let's decode.

echo "Q0lUezVkODFmNzc0M2Y0YmMyYWJ9" | base64 -d

CIT{5d81f7743f4bc2ab}

Flag: CIT{5d81f7743f4bc2ab}

git-dumper