This is a writeup about a retired HacktheBox machine: Craft This box is classified as a medium machine. The user part is quit long and involve to find "secrets" in a git repository, access an API to get a reverse shell and manipulate a MySQL database in a jailed environment. The root part is quit easier and involve to interact with a vault instance.

Recently I put unwanted data (a password) in one of my git commit. This commit was not push to an public server (like github or bitbucket) therefore there was no real security breach other than my git history.

The problem was to remove the data by rewriting the git history …