`

Notice some familiar filenames in this list? We saw donate.php

and robots.txt earlier, when we scanned the 172.16.10.12 (p-web-02)

host.

Viewing the Commits with Git Log

When you run into a git repository, you should attempt a git

log command to see the history of git code commits made to the

repository, as they may include interesting data we could use as

attackers. In source code management, a commit is a snapshot of the

code’s state that is taken before the code is pushed to the main

repository and made permanent. Commit information could include

details about who made the commit and a description of the change

(such as whether it was a code addition or deletion):

$ cd acme-impact-alliance-git

$ git log

commit 3822fd7a063f3890e78051e56bd280f00cc4180c (HEAD -> master)

Author: Kevin Peterson <[email protected]>

--snip--

commit code

As you can see, we’ve identified a person who has committed

code to the git repository: Kevin Peterson, at kpeterson@acme-

impact-alliance.com. Take note of this information because this

account could exist in other places found during the penetration test.

Try running gitjacker again to hijack the git repository that lives

on the second folder, at /backup/acme-hyper-branding. Then execute

another git log command to see who committed code to this

repository, as we did before. The log should reveal the identity of a

second person: Melissa Rogers, at mrogers@acme-hyper-

branding.com.

You may sometimes run into git repositories with many

contributors and many commits. We can use git’s built in --

pretty=format option to extract all this metadata very easily,

like so:

$ git log --pretty=format:"%an %ae"

The %ae (author name) and %ae (email) fields are built-in

placeholders in git that allow you to specify values of interest to

include in the output. To see the list of all available variables,

reference https://git-scm.com/docs/pretty-formats#_pretty_formats.

Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks