PortSwigger Academy - Information Disclosure in Version Control History
This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator user then log in and delete the user carlos.
Lab Overview
❓ This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator user then log in and delete the user carlos.
Instructions
To solve the lab:
- Obtain the password for the
administratoruser. - Access the admin interface.
- Delete the user
carlos.
In this blog post, I’ll explore a vulnerability that stems from exposing a .git directory on a production server. By exploiting this misconfiguration, I uncovered sensitive information, including an administrator password, which I then used to complete the challenge by logging in and deleting a user. This post walks through the steps I took to identify and exploit the issue, the underlying vulnerability, and remediation strategies.
Overview of the Challenge
The lab’s objective was to exploit an exposed .git directory to extract sensitive information, including the administrator password, and then log in to delete the user carlos. This challenge highlights how poor version control practices and improper server configuration can lead to severe security risks.
Initial Reconnaissance
The first step in any assessment is reconnaissance. I started by scanning the lab’s directory structure using common tools like Dirbuster to identify hidden or sensitive files and directories.
Before long, the scan revealed the presence of a .git directory:
This was the first sign of a serious misconfiguration. The .git directory contains the version control history of the web application’s codebase, including sensitive commits.
Exploring the .git Directory
Navigating to the .git directory in the browser, I was greeted with several files and folders that make up the repository:
One key file is the config file, which contains metadata about the repository, such as remote URLs. While it didn’t reveal anything sensitive initially, I noted it for potential future use.
Cloning the .git Repository
To analyze the full version control history, I downloaded the .git repository to my local machine using wget. If you’re on macOS and don’t have wget installed, you can install it via Homebrew (brew install wget).
wget -r [LAB_URL]/.git
Once the repository was downloaded, I navigated to the .git directory and initialized the sequence of Git commands below to analyze the history.
Investigating the Git Log
Using the git log command, I checked the commit history of the repository. This revealed several commits, including one that especially stood out—the administrator account.
git log
The commit message hinted at changes related to authentication, which seemed like a good lead. My next step was to examine the commit in detail.
Examining Commit History
To dive deeper, I used the git show command to inspect the details of the commits. One commit revealed the following sensitive information:
git show <commit-id>
The commit included the administrator password, which had been hardcoded into the codebase and later removed. However, as is the nature of Git, the credentials remained in the commit history:
With the password in hand, I was able to log in as the administrator and complete the challenge by deleting the user carlos.
Why It's Vulnerable
This lab highlights multiple issues stemming from poor version control practices and server misconfigurations:
1. Exposed .git Directory:
The web server’s .git directory was publicly accessible, allowing anyone to download the repository and analyze its history. This is a critical misconfiguration that should never occur in production environments.
2. Sensitive Information in Version Control History:
The developers committed sensitive credentials (the administrator password) into the repository. Although they removed the credentials in a later commit, Git’s version control design retains the entire history, making the credentials retrievable.
3. Improper Remediation Practices:
Attempting to remove sensitive data by making a new commit is insufficient. Without rewriting the commit history, the sensitive data remains accessible.
The Impact
The consequences of exposing a .git directory can be severe:
- Credential Leakage:
Hardcoded credentials, like the administrator password in this case, can be extracted from the repository. - Codebase Exposure:
The entire source code of the application, including potential vulnerabilities, is exposed to attackers. - Sensitive Metadata Disclosure:
Theconfigfile and other.gitmetadata can reveal details about the repository, such as remote URLs and developer information.
Let's Connect!
