How to Explore an Exposed .git

k1ven — Fri, 23 Aug 2024 05:03:33 +0000

What is git?

Git is an open-source, distributed version control system (DVCS) that allows multiple developers to collaborate on a project by tracking changes to files and coordinating work. It enables users to create branches, merge changes, and revert to previous versions, making it a powerful tool for managing codebases of any size. With Git, each developer has a full copy of the repository, ensuring redundancy and enabling offline work. Its widespread adoption is driven by its flexibility, efficiency, and strong community support.

Potential Risks of Exposing a .git Directory

There are numerous risks associated with exposing a .git directory. For example, attackers can exploit this vulnerability to:

Exposure of Sensitive Information: Attackers can access the repository's history, including sensitive keys, credentials, and configuration files that might be stored in the repository. This could result in unauthorized access to other systems and services.
Project Cloning: If the .git directory is exposed, attackers can clone the entire project, gaining access to all the code, including proprietary or confidential information. This can lead to intellectual property theft or misuse.
Commit History Inspection: Attackers can inspect the commit history to find information that might have been accidentally committed, such as API keys, passwords, or other sensitive data that may have been removed but remains in the history.
Reconstruction of Past States: By accessing the .git directory, attackers can reconstruct the project's past states, potentially uncovering vulnerabilities that were fixed in later versions.
Analysis of Development Practices: Attackers can analyze your development practices, including how frequently commits are made, who is making them, and what changes are being implemented. This information can be used in social engineering attacks or to identify weaker points in your security posture.
Potential for Exploiting Security Vulnerabilities: If the source code is exposed, attackers can search for vulnerabilities in the code that might not have been publicly disclosed, increasing the risk of targeted attacks.

How to find a exposed .git?

There are several methods to identify an exposed .git directory. In this section, I will discuss two effective techniques: google dorks and directory enumeration.

Google Dorks

Refers to advanced search queries that use Google's search engine to find specific information that is often hidden or not easily accessible through standard searches. These queries leverage Google’s powerful search capabilities to uncover sensitive data, exposed files, or vulnerabilities on websites.

We can locate exposed .git directories using the intext operator.



intext:"Index of /.git"

Directory Enumeration

Is a technique to discover hidden directories and files. This process involves systematically probing a website to identify paths and resources.

There are many automated tools available for directory enumeration. In this example, I will demonstrate how to use the ffuf tool.



ffuf -u https://victim.com/FUZZ -w /path/to/wordlist



        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://victim.com.br/FUZZ
 :: Wordlist         : FUZZ: /path/to/wordlist
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.git                    [Status: 200, Size: 1923, Words: 20, Lines: 10, Duration: 122ms]
.git/config             [Status: 200, Size: 221, Words: 29, Lines: 10, Duration: 92ms]
.git/HEAD               [Status: 200, Size: 198, Words: 2, Lines: 10, Duration: 26ms]

If we look at .git/config, we find something like:



[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://victim.com
git
fetch +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote origin
merge refs/heads/master

How to get files from .git?

As previously mentioned, we can retrieve various files from the website. To accomplish this efficiently, we will use an automated tool to extract as many files as possible.

GitTools - Dumper

This tool can be used to download as much as possible from the found .git repository from webservers which do not have directory listing enabled.

This tool has no 100% guaranty to completely recover the .git repository. Especially if the repository has been compressed into pack-files, it may fail.

Usage:



bash ./gitdumper.py https://victim.com/.git/ output

We need to navigate to a specific version to view the files. Next, go to our folder and execute the following command:



git checkout -- .

How to fix this?

To mitigate this vulnerability, remove the .git folder from your web server or ensure that access to the .git directory is completely denied.

Apache

Update httpd.conf as follows:



<DirectoryMatch "^/.*/.git/">

     deny all;

</DirectoryMatch>

Nginx

If you are using Nginx, add the following instructions to your nginx.conf file:



location ~ /.git/ {

     deny all;

}

Conclusions

This is my first article; I hope you enjoyed it!
Honorable mention to my friend @Duk4s

DEV Community: k1ven