- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
Bandit Level 29 Walkthrough
Level 28 ➔ Level 29: Digging Through Git History
1. My Objective
I am currently logged in as bandit28. My mission is to find the password for Level 29. Like the previous level, I am given a Git repository URL: ssh://bandit28-git@bandit.labs.overthewire.org/home/bandit28-git/repo. The password for the Git user is the same as the password I used to log into bandit28. My task is to clone the repository and find the password, even if it isn't visible in the current version of the files.
The Hidden Challenge: Sometimes developers realize they accidentally committed a password, and their first instinct is to overwrite it with "XXXXXX" or delete the line. However, in Git, deleting a line doesn't delete the record of that line. I need to look into the past.
2. The Feynman Explanation: The Invisible Ink Notebook
How do I see what someone wrote if they have already erased it? In Git, nothing is truly erased.
The Security Camera Analogy:
Imagine I have a notebook. Every time I finish a page, a security camera takes a high-resolution photograph of it before I turn the page.
On Monday, I write my secret password on Page 1. On Tuesday, I realize this was a mistake, so I take an eraser and rub it out, writing "REDACTED" in its place.
If you look at my notebook right now, you only see the word "REDACTED." But if you have access to the Security Camera (Git History), you can just go back to the "Monday photograph." You can see exactly what the page looked like before the eraser touched it. Git doesn't just store the current state of a file; it stores a "commit history"—a timeline of every change ever made.
3. Practical Solution
I will follow the same process as Level 28: create a workspace in /tmp, clone the repository, and then use Git commands to "rewind the tape."
# Step 1: Prepare the workspace
bandit28@bandit:~$ mkdir /tmp/pritom_history
bandit28@bandit:~$ cd /tmp/pritom_history
# Step 2: Clone the repo (replace password when prompted)
bandit28@bandit:/tmp/pritom_history$ git clone ssh://bandit28-git@bandit.labs.overthewire.org:2220/home/bandit28-git/repo
bandit28@bandit:/tmp/pritom_history$ cd repo
# Step 3: Inspect the current file
bandit28@bandit:/tmp/pritom_history/repo$ cat README.md
The password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# Step 4: Look at the 'Security Camera' logs (Git history)
# -p shows the 'patch' (the actual changes) for each commit
bandit28@bandit:/tmp/pritom_history/repo$ git log -p
# I scroll down to see the older versions of the file.
# I see a line that was removed (red/-) and replaced with XXXXX (green/+)
- The password is t696Ng6pE6vSAr4S019SAb36906sV...
+ The password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
bandit28@bandit:~$ mkdir /tmp/pritom_history
bandit28@bandit:~$ cd /tmp/pritom_history
# Step 2: Clone the repo (replace password when prompted)
bandit28@bandit:/tmp/pritom_history$ git clone ssh://bandit28-git@bandit.labs.overthewire.org:2220/home/bandit28-git/repo
bandit28@bandit:/tmp/pritom_history$ cd repo
# Step 3: Inspect the current file
bandit28@bandit:/tmp/pritom_history/repo$ cat README.md
The password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# Step 4: Look at the 'Security Camera' logs (Git history)
# -p shows the 'patch' (the actual changes) for each commit
bandit28@bandit:/tmp/pritom_history/repo$ git log -p
# I scroll down to see the older versions of the file.
# I see a line that was removed (red/-) and replaced with XXXXX (green/+)
- The password is t696Ng6pE6vSAr4S019SAb36906sV...
+ The password is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Why did git log -p solve it?
The git log command shows a list of all saves (commits) made to the project. By adding the -p flag, I told Git to show me the Difference (Diff) of each commit. This allowed me to see exactly what characters were added or removed in the past, revealing the password that was intentionally hidden in the latest version.
🚀 My Pro Tips: Mastering Git Investigation
✨ The 'git show' Shortcut
If I only want to see the details of the very last change, I can use git show. It is a faster way to see the most recent edits without scrolling through the entire history.
⭐ Searching the History (grep)
In a giant repository with 10,000 commits, I wouldn't scroll. I would use the "pickaxe" search:
git log -S "password"
This tells Git to show me only the commits where the word "password" was added or removed from a file.
🔍 Checking Branches
Sometimes the secret isn't in the past; it's in a different parallel version of the project. I always run git branch -a to see if there are other branches (like dev or secret-fix) that might contain the flag.
4. Why this matters
I have seen this mistake happen many times in real-world software development. A developer accidentally commits an API key or a database password, deletes it in the next commit, and thinks they are safe. However, as long as that .git folder exists, anyone who can see the code can see the secret. This is why tools like TruffleHog or GitGuardian exist—to scan history for these exact types of leaks.
History Interrogated!
I've successfully "time-traveled" to find the deleted password. I'll save it and move on to Level 29 ➔ Level 30, where the secret might be hidden in a parallel reality (Branches)!
Tags: #Linux #Bandit #OverTheWire #GitHistory #GitLog #GitShow #DataForensics #LeakedSecrets #CyberSecurity #FeynmanTechnique #CodeWithPritom #ProTips
- Get link
- X
- Other Apps
Devoted to excellence as a Software Engineer
Comments
Post a Comment