After quickly looking through the .pcap, we find two things: a python source file, and a large b64 string (‘2Mk16Sk5iakYx…’)

We’re given a .tar.xz which contains a partially corrupted git repo. Running git log reveals 4 commits, which all primarily build out one main .c file:

After browsing around the home page of the website given, we notice 2 suspect things: password MD5s are computed client side, and there is a version number at the bottom of the page. After inspecting in chrome dev tools, we see that the version number is dynamically pulled from /.git/refs/heads/master, meaning that the site’s .git is publically accessible. However, while we can read files, directory listings are turned off. After researching the basics of how git works, we grab /.git/index which contains the filenames and sha1 hashes of all files in the repo. Running this through a git index parser (e.g. gin), we get a list of all the files and hashes:

TL; DR

• Overflow