Challenge - Week 9

Klarer du å finne flagget denne uka? Samme format som sist: BVT{<tekst>}

For inspirasjon kan du ta en titt på løsningen for forrige uke

Solution

The link in the challenge is pointing to the GitHub repository for the challenge writeups, instead of the regular writeup page.

Looking at the breadcrumbs, we can see a kind of structure:

What if we try to navigate to the /post directory?

Look at that, week 9 is already there. And the last commit message is Ooops, too early!, what could that mean? Let’s look inside. Only one file, with nothing useful in it:

Let’s look at the commit history:

Let’s look at that last commit:

And there it is!

Bonus solution

If we look at the solution for week 8, we can see that the same flag is in the history there.

In fact, we can see it being added in the same commit as the solution for week 9:

This was unintentional, and proves the point of this challenge - data committed to GitHub (or alternatives) are there to stay. Deleting old commits will not make the data go away on other machines etc. So after committing secrets to GitHub (or alternatives), you have no other choice than to invalidate and rotate.

The flag

BVT{What happens on the internet stays on the internet}