Skip to content

Objective #4: Data Repo Analysis

Problem

Retrieve the encrypted ZIP file from the North Pole Git repository https://git.kringlecastle.com/Upatree/santas_castle_automation. What is the password to open this file? For hints on achieving this objective, please visit Wunorse Openslae and help him with Stall Mucking Report Cranberry Pi terminal challenge.

Hints

Wunorse Openslae provides the following hints:

Speaking of good ways to find credentials, have you heard of Trufflehog?

It's a cool way to dig through repositories for passwords, RSA keys, and more.

I mean, no one EVER uploads sensitive credentials to public repositories, right? But if they did, this would be a great tool for finding them.

But hey, listen to me ramble. If you're interested in Trufflehog, you should check out Brian Hostetler's talk!

Have you tried the entropy=True option when running Trufflehog? It is amazing how much deeper it will dig!

Wunorse also provides a link to the Trufflehog tool: https://github.com/dxa4481/truffleHog

Wunorse also mentions the KringleCon talk by Brian Hostetler called "Buried Secrets: Digging Deep Through Cloud Repositories"

Solution

Download and install trufflehog (easily done with 'pip install trufflehog'), then run it against the repository provided. In the truncated output below, Shiny commited a change to remove the password 'Yippee-ki-yay', but because of versioning control, the history of this file was saved and we were able to retrieve what was once there in a previous version of the file.

root@kali:~/hhc18# trufflehog https://git.kringlecastle.com/Upatree/santas_castle_automation

~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~
Reason: High Entropy
Date: 2018-12-11 02:16:57
Hash: 0dfdc124b43a4e7e1233599c429c0328ec8b01ef
Filepath: schematics/for_elf_eyes_only.md
Branch: origin/master
Commit: important update

@@ -1,15 +0,0 @@
-Our Lead InfoSec Engineer Bushy Evergreen has been noticing an increase of brute force attacks in our logs. Furthermore, Albaster discovered and published a vulnerability with our password length at the last Hacker Conference.
-
-Bushy directed our elves to change the password used to lock down our sensitive files to something stronger. Good thing he caught it before those dastardly villians did!
-
- 
-Hopefully this is the last time we have to change our password again until next Christmas. 
-
-
-
-
-Password = 'Yippee-ki-yay'
-
-
-Change ID = '9ed54617547cfca783e0f81f8dc5c927e3d1e3'
-

Answer: "Yippee-ki-yay"