πΏ OverTheWire Bandit Level 30: Finding Secrets in Git Branches
Level 30 builds on Git concepts from Levels 28 and 29, introducing Git branchesβparallel lines of development in a repository. This level teaches you how to list branches, check out branches, and understand why secrets might be stored in non-production branches even when removed from the main branch.
Level 30 teaches you:
- Understanding Git branches
- Listing all branches (
git branch -a) - Checking out branches (
git checkout) - Viewing branch differences (
git show) - Finding secrets in non-production branches
If you've made it this far, you understand Git commits and history. Now you're learning about branchesβanother common place where secrets hide in real-world security assessments.
π― The Objective
After logging into bandit29, your goal is to find the password for Level 30. There's a Git repository at ssh://bandit29-git@localhost/home/bandit29-git/repo. The password for the user bandit29-git is the same as for the user bandit29.
What Level 30 teaches:
- Understanding Git branches
- Listing and checking branches
- Viewing branch contents
- Finding secrets in branches
- Why branches matter for security
The challenge: The README mentions "no password in production," which hints that the password might be in a non-production branch. You need to check all branches to find it.
π Understanding the Problem
Let's start by connecting to Level 29:
sshpass -p `cat bandit29` ssh bandit29@bandit.labs.overthewire.org -p 2220
Once connected, let's clone the repository:
mkdir -p /tmp/m1k3
cd /tmp/m1k3
git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
cd repo
The problem: When you check the commit history, there's no password in any commits. The README mentions "no password in production," suggesting the password might be in a different branch (like dev, staging, or development).
π§ Understanding Git Branches
Here's what's happening: Git branches are parallel lines of development. Secrets might be in non-production branches even when removed from the main branch.
How Git Branches Work
Git branches are pointers to commits:
- Each branch can have different commits
- Branches can diverge and merge
- Different branches can have different files
- Secrets might exist in one branch but not another
Why this matters:
- Production branch might not have secrets
- Development branches might still have them
- Old branches might contain exposed credentials
- Branching is common in real projects
Understanding Branch Structure
Common branch names:
master/mainβ Production branchdev/developmentβ Development branchstagingβ Pre-production testingfeature/*β Feature brancheshotfix/*β Emergency fixes
In Level 30: The password is likely in a non-production branch (like dev or development).
Understanding git branch -a
git branch -a lists all branches:
- Local branches (on your machine)
- Remote branches (on the server)
- Shows all available branches
What you'll see:
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
remotes/origin/staging
The key: Look for branches other than masterβthey might contain the password.
Understanding git checkout
git checkout <branch> switches to a branch:
- Changes your working directory
- Updates files to match that branch
- Lets you view branch contents
Example:
git checkout dev
This switches to the dev branch so you can see its files.
Understanding git show
git show <branch> shows a branch's latest commit:
- Shows commit details
- Shows file contents
- Shows what's different
With -p flag: Shows the diff (changes)
Example:
git show dev -p
This shows the dev branch's latest commit with changes.
π Step-by-Step Walkthrough
Step 1: Connect to Level 29
sshpass -p `cat bandit29` ssh bandit29@bandit.labs.overthewire.org -p 2220
Step 2: Get the Password Ready
You'll need the bandit29 password for the Git clone:
cat /etc/bandit_pass/bandit29
Copy this password.
Step 3: Create Temporary Directory and Clone
mkdir -p /tmp/m1k3
cd /tmp/m1k3
git clone ssh://bandit29-git@localhost/home/bandit29-git/repo
cd repo
When prompted, paste the bandit29 password.
Step 4: Check Repository Contents
ls -la
You should see a README.md file and a .git directory.
Step 5: Read the README File
cat README.md
What you'll see:
# Bandit Notes
Some notes for bandit30 of bandit.
## Credentials
- username: bandit30
- password: [blank or removed]
## Notes
no password in production
The key hint: "no password in production" suggests the password might be in a non-production branch!
Step 6: Check Commit History
Let's check the commit history first:
git log -p
What you'll see: Commits showing changes, but no password in any commit. The second commit might change the username, but still no password.
The problem: No password in commit history. We need to check branches.
Step 7: List All Branches
Let's see what branches are available:
git branch -a
What you'll see:
* master
remotes/origin/HEAD -> origin/master
remotes/origin/dev
The key: There's a dev branch! That's likely where the password is.
Step 8: Check the Dev Branch
Let's see what's in the dev branch. First, let's see the latest commit:
git show remotes/origin/dev
Or check it out to view files:
git checkout dev
cat README.md
What you'll see: The README in the dev branch should contain the password!
Step 9: Alternative: View Branch Diff
You can also view the difference between branches:
git show remotes/origin/dev -p
Or compare branches:
git diff master remotes/origin/dev
The key: Look for the password in the dev branch's README file.
Step 10: Extract the Password
From the dev branch's README, find:
- password: [PASSWORD_HERE]
That's your password for Level 30!
Step 11: Save the Password
Copy the password and save it:
On Linux/macOS:
echo "PASSWORD_HERE" > bandit30
On Windows (PowerShell):
"PASSWORD_HERE" | Out-File -FilePath bandit30 -NoNewline
Step 12: Connect to Level 30
sshpass -p `cat bandit30` ssh bandit30@bandit.labs.overthewire.org -p 2220
π‘ Understanding Git Branches in Depth
Let's dive deeper into Git branch concepts:
Branch Structure
Branches are pointers:
- Each branch points to a commit
- Branches can diverge
- Branches can merge back together
- Different branches can have different content
Why branches exist:
- Parallel development
- Feature isolation
- Testing before production
- Maintaining multiple versions
Understanding Branch Names
Common patterns:
master/mainβ Production codedev/developmentβ Active developmentstagingβ Pre-production testingfeature/feature-nameβ New featureshotfix/issue-nameβ Emergency fixes
In Level 30: The password is in a non-production branch (likely dev).
Why Secrets Are in Branches
Common scenarios:
- Secrets added during development
- Secrets removed from production branch
- Old branches still contain secrets
- Feature branches with test credentials
Why it's dangerous:
- Branches are often accessible
- Old branches might be forgotten
- Secrets persist in branch history
- Branch access controls might be weak
π Real-World Context
Why does this matter in penetration testing?
Git branches are another common source of exposed secrets:
1. Finding Secrets in Branches
In real assessments, you might:
- Clone repositories
- List all branches
- Check non-production branches
- Extract credentials from dev/staging branches
The technique: Same as Level 30βcheck all branches, especially non-production ones.
2. Common Branch Security Issues
Secrets in branches:
- Passwords in dev branches
- API keys in feature branches
- Credentials in staging branches
- Test data in old branches
Why it's dangerous:
- Branches are often accessible
- "Production is secure" doesn't mean branches are
- Old branches might be forgotten
- Branch access might be less restricted
3. Real-World Examples
Common scenarios:
- Developer adds password to dev branch
- Password removed from production
- Dev branch still accessible
- Password still works
The skill you're learning: How to enumerate Git branches and find secrets. This is essential for:
- Finding exposed credentials
- Understanding repository structure
- Discovering sensitive information
- Security auditing
π οΈ Alternative Methods
Here are different ways to approach Level 30:
Method 1: git branch -a + git checkout (Recommended)
git branch -a
git checkout dev
cat README.md
Pros: Simple and straightforward Cons: Changes your working directory
Method 2: git show remotes/origin/dev
git branch -a
git show remotes/origin/dev
Pros: Doesn't change working directory Cons: Shows commit, not just file contents
Method 3: git show remotes/origin/dev -p
git branch -a
git show remotes/origin/dev -p
Pros: Shows diff with changes Cons: Might be verbose
Method 4: git diff master remotes/origin/dev
git branch -a
git diff master remotes/origin/dev
Pros: Shows differences between branches Cons: Might show many changes
Method 5: Check Out Each Branch
git branch -a
for branch in $(git branch -a | grep remotes | grep -v HEAD); do
git checkout ${branch#remotes/origin/}
cat README.md
done
Pros: Checks all branches systematically Cons: More complex, changes working directory
For Level 30, use Method 1 or 2 β they're the most straightforward.
π¨ Common Mistakes
Mistake 1: Only Checking the Main Branch
Wrong: Reading README.md on master, seeing no password, giving up.
Right: Check all branchesβsecrets might be in non-production branches.
Why: The hint "no password in production" means check other branches.
Mistake 2: Not Understanding Branch Names
Wrong: Not recognizing that dev, staging, or development branches might contain secrets.
Right: Understand that non-production branches often have different content, including secrets.
Why: Developers often add secrets to dev branches for testing.
Mistake 3: Not Listing All Branches
Wrong: Only checking local branches with git branch.
Right: Use git branch -a to see all branches, including remote ones.
Why: The password might be in a remote branch that hasn't been checked out locally.
Mistake 4: Not Understanding git checkout
Wrong: Trying to read branch files without checking out the branch.
Right: Use git checkout <branch> to switch to a branch, or use git show <branch> to view branch contents.
Why: You need to switch to a branch (or use git show) to see its files.
Mistake 5: Missing the Hint
Wrong: Ignoring the "no password in production" hint in the README.
Right: Recognize this as a hint to check non-production branches.
Why: CTF levels often provide hints. "No password in production" means check dev/staging branches.
π» Practice Exercise
Try these to reinforce what you learned:
-
Understand branches:
git branch git branch -a git branch -r -
Check out branches:
git checkout dev git checkout master -
View branch contents:
git show dev git show remotes/origin/dev -
Compare branches:
git diff master dev git log master..dev
π Understanding Branch Security
This level introduces branch security concepts:
Why Branches Matter
Security implications:
- Secrets might be in non-production branches
- "Production is secure" doesn't mean branches are
- Old branches might be forgotten
- Branch access controls might be weak
Best Practices
To avoid exposing secrets:
- Never commit secrets to any branch
- Use
.gitignorefor sensitive files - Use environment variables or secrets managers
- Review all branches, not just production
If secrets are in branches:
- Rotate all exposed credentials immediately
- Consider all branches as potentially compromised
- May need to make repository private or delete branches
The skill you're learning: How to enumerate Git branches and find secrets. This is essential for:
- Security auditing
- Penetration testing
- Understanding version control security
- Finding exposed credentials
π What's Next?
Level 31 will likely build on Git concepts further, possibly involving tags, refs, or more advanced Git operations.
Before moving on, make sure you:
- β Understand Git branches
- β
Can list all branches (
git branch -a) - β
Can check out branches (
git checkout) - β
Can view branch contents (
git show) - β Know why branches matter for security
π Key Takeaways
After completing Level 30, you should understand:
- Git branches β Parallel lines of development
- Branch enumeration β How to list all branches
- Branch checking β How to view branch contents
- Secrets in branches β Why non-production branches might have secrets
- Security implications β Why branches matter for security
π― Quick Reference
| Concept | Explanation | Example |
|---|---|---|
| git branch -a | List all branches | git branch -a |
| git checkout | Switch to branch | git checkout dev |
| git show | Show branch commit | git show dev |
| Branches | Parallel development | master, dev, staging |
| Remote branches | Branches on server | remotes/origin/dev |
π Advanced: Understanding Git Branch Security
If you want to go deeper, here's Git branch security:
Branch Access Controls
Common issues:
- All branches accessible to all users
- No branch protection rules
- Old branches not deleted
- Weak branch permissions
Why it's dangerous:
- Secrets in branches are accessible
- Old branches might be forgotten
- Branch history contains secrets
- Branch access might be less restricted
Finding Secrets in Branches
Techniques:
- List all branches (
git branch -a) - Check out each branch
- View branch contents (
git show) - Compare branches (
git diff) - Search branch history
In Level 30: The password was in the dev branch, not the master branch. The hint "no password in production" led us to check non-production branches.
Questions about Level 30, Git branches, or branch security? Reach out directly:
- Email: m1k3@msquarellc.net
- Phone: (559) 670-3159
- Schedule: Book a free consultation
M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice