# git happens {% embed url="" %} ## Enumeration ### nmap ```jsx PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 61 nginx 1.14.0 (Ubuntu) | http-git: | 10.10.150.242:80/.git/ | Git repository found! |_ Repository description: Unnamed repository; edit this file 'description' to name the... | http-methods: |_ Supported Methods: GET HEAD |_http-title: Super Awesome Site! |_http-server-header: nginx/1.14.0 (Ubuntu) Device type: general purpose Running: Linux 4.X OS CPE: cpe:/o:linux:linux_kernel:4.15 OS details: Linux 4.15 ``` Woah, it detected the `.git` directory which is what we will be focusing on ### Webpage port80 ![image.png](/files/JEo0SqHMOPcRXGpjPjJ3) We got a login page here and it’s not really working ### Gobuster Since this is a git related room and we have a `.git` directory maybe we can pause, but it’s always good to find other potential directories Turns out nothing interesting here so let’s just see what is in the git repo

### Git We can see a lot of things scattering here, so where do we start? Here, we will start to work with gitdumper, download gitdumper by using the command: `git clone [https://github.com/internetwache/GitTools.git](https://github.com/internetwache/GitTools.git)` Right so let’s download the repo: `./GitTools/Dumper/gitdumper.sh http:///.git/ ` First thing we gonna do after downloading the repo, we navigate to the output dir and then do `git reset --hard HEAD` doing this will populate the directory with the files from the latest commit

Let’s check the status first

Let’s check the logs

If we use `git log -p` it gave us more verbose response

It looks like we have docker file let’s use `git log -p -- Dockerfile`

Let’s open `default.conf`

So we can do log and find the matching string “password” to see if any changes come up, the unidentifiable hash is **commit hash** And boy we do, also see the last one, the comments implies that the author made the login page

In the both **dashboard.html** and **index.html** we can see something is quite odd Now, we can do `git show : > old_commit` this means going back to that old commit, find this particular file, and give me its full content from that moment, saving it as **old\_commit**

and cat it out to see if there’s anything in plain text, for the dashboard one it didn’t have anything really, so let’s try the **index.html**

again `git show 395e087334d613d5e423cdf8f7be27196a360459:index.html > old_index.html` and `cat old_index.html`

Here you go, we got the flag! ## Work flow 1. **Discovery:** * You find http\:///.git/ (e.g., by browsing, directory scanning, or hints) * Confirm it's accessible (e.g., try accessing http\:///.git/HEAD or http\:///.git/config - if they download, it's likely exploitable) 2. **Dump the Repository:** * Use tools (like **GitTools Dumper**, **dvcs-ripper**, or **GitHacker**) to download as much of the .git directory as possible * Usage: `gitdumper.sh http:///.git/ ` 3. **Restore Local Working Copy:** * Navigate into the \ where the .git directory was downloaded * Run `git reset --hard HEAD` to get the actual files from the latest commit 4. **Initial Code & Config Review:** * Examine key files in the current checkout: * Config files (\*.conf, .yml, .env, Dockerfile, *-ci.yml*) * Source code (HTML, JS, PHP, Python, etc.) * README.md * Look for obvious **hardcoded** credentials, **API keys**, or **comments** 5. **Git History:** * **Commit Messages are Gold:** * `git log`: Read through commit messages. Look for things like "removed password," "fixed bug," "added admin feature," "obfuscated," "security fix." * **Examine Changes:** * `git log -p`: See the actual code changes for each commit. This is crucial for finding secrets that were committed and then removed * **Search History for Keywords:** * `git log -S"password"` * `git log -S"secret"` * `git log -S"flag"` * `git log -S"API_KEY"` * `git log -G""` (for regex search in diffs) * **View Specific File Versions:** * If a commit message looks interesting (e.g., "obfuscated login page"), view the relevant file(s) *at that commit* or *before* it: `git show :` * **Check Other Branches:** * `git branch -a`: Look for dev/feature branches * `git checkout `: Explore code on other branches 6. **Analyze Code Logic:** * If HTML/JS is involved, understand how it works, especially if there are client-side checks, obfuscation, or crypto * Use browser developer tools (debugger, console) to deobfuscate or step through JavaScript * Look for hardcoded values it might be comparing against 7. **Test & Iterate:** * Try passwords/flags found in older commits * Try to satisfy the conditions of the (deobfuscated) JavaScript checks --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://vix-w1zzer.gitbook.io/vixwizzer/walkthroughs/git-happens.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.