picoCTF General Skills Guide

here's how to solve Commitment Issues

Back to the General Skills Guides

Commitment Issues

Name: Commitment Issues
Description: I accidentally wrote the flag down. Good thing I deleted it! You download the challenge files here: challenge.zip
Author: Jeffery John
Tags: Easy, General Skills, picoCTF 2024, browser_webshell_solvable, git
Challenge from: picoCTF 2024
Files: challenge.zip
Hints:
1. Version control can help you recover files if you change or lose them!
2. Read the chapter on Git from the picoPrimer here!
3. You can 'checkout' commits to see the files inside them

Theory

According to the description, to get the flag we get a git repository where there is a text where the flag was written down, but then deleted. This is quite easy actually, we just need to look at the history of the git to get the hash of the commit where the flag was removed for security reasons, and there we'll get it. So we can use some commands like git log to get the history of the entire repository, and then git show when we get the hash of the commit to find it and get the text that was changed, aka the flag:

git log
git show commit_fjneifjirgijr

Solution

First we need to download the repository and unzip it:

shukularuni-picoctf@webshell:~$ wget https://artifacts.picoctf.net/c_titan/138/challenge.zip
--2025-04-10 16:36:40--  https://artifacts.picoctf.net/c_titan/138/challenge.zip
Resolving artifacts.picoctf.net (artifacts.picoctf.net)... 3.160.22.43, 3.160.22.92, 3.160.22.128, ...
Connecting to artifacts.picoctf.net (artifacts.picoctf.net)|3.160.22.43|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19199 (19K) [application/octet-stream]
Saving to: 'challenge.zip'

challenge.zip       100%[==================>]  18.75K  --.-KB/s    in 0.007s  

2025-04-10 16:36:40 (2.52 MB/s) - 'challenge.zip' saved [19199/19199]

shukularuni-picoctf@webshell:~$ unzip challenge.zip

shukularuni-picoctf@webshell:~$ cd drop-in

Now that we're in the repository, let's look for files that might have been redone:

shukularuni-picoctf@webshell:~/drop-in$ ls
message.txt
shukularuni-picoctf@webshell:~/drop-in$ cat message.txt
TOP SECRET

That seems like the file that might have been changed, let's look at the log:

shukularuni-picoctf@webshell:~/drop-in$ git log
commit 42942c9c605b30100f5d859ef6e172027447c0db (HEAD -> master)
Author: picoCTF <ops@picoctf.com>
Date:   Tue Mar 12 00:06:23 2024 +0000

    remove sensitive info

commit b562f0b425907789d11d2fe2793e67592dc6be93
Author: picoCTF <ops@picoctf.com>
Date:   Tue Mar 12 00:06:23 2024 +0000

    create flag
(END)

There's one that says remove sensitive info, we will copy the commit hash on top of it and use the show command:

shukularuni-picoctf@webshell:~/drop-in$ git show 42942c9c605b30100f5d859ef6e172027447c0db
commit 42942c9c605b30100f5d859ef6e172027447c0db (HEAD -> master)
Author: picoCTF <ops@picoctf.com>
Date:   Tue Mar 12 00:06:23 2024 +0000

    remove sensitive info

diff --git a/message.txt b/message.txt
index 0e0fefc..d552d1e 100644
--- a/message.txt
+++ b/message.txt
@@ -1 +1 @@
-picoCTF{s@n1t1z3_c785c319}
+TOP SECRET

There we go! That's the flag.

I rated this level as "good"! :3

https://play.picoctf.org/practice/challenge/411

Explore My Website