LeakedCredentialsGitHubRepository.md

Leaked Credentials (GitHub Repository)

Table of Contents

• Leaked Credentials (GitHub Repository)
  • Table of Contents
  • Description
  • Lab Setup
  • Enumeration
  • Exploitation
  • Mitigation
  • References

Description

When developers work on projects, they often use version control systems like Git to manage changes to their codebase. GitHub is a widely used platform for hosting Git repositories, allowing developers to collaborate on projects and track changes over time. However, sometimes developers accidentally include sensitive information in their code commits, such as hardcoded credentials or API keys, which can then be exposed publicly on GitHub if not handled properly.

In this scenario, the focus shifts from public GitHub repositories to instances where GitHub repositories exist on workstations or servers, rather than being publicly hosted.

Lab Setup

⚠️ If you are using Windows 10/11 to proceed with this scenario, the local Administrator account needs to be enabled. I have created a PowerShell script named EnableLocalAdmin.ps1, designed to enable the local Administrator account and set a password. Please run this script with elevated privileges.

⚠️ For this scenario, you will need to install the Git tool from the Official Website.

Open a PowerShell with local Administrator privileges and run the following command to clone the scenario repository:

git clone https://github.com/nickvourd/Demo-App.git

Enumeration

When you identify a folder containing a .git directory, it signifies that the folder is a Git repository. One way to enumerate a GitHub repository, besides reading the source code of files within it, is to explore its history and inspect past commits.

1. View the IDs of all commits by using the following command:

git log

Outcome:

2. Compare the commit IDs to identify the changes in the code:

git diff <commit-id-1> <commit-id-2>

Outcome:

ℹ️ However, you can use the following command to show the changes in the most recent commit:

git show

Outcome:

Exploitation

Obtaining the hardcoded credentials can be accomplished through several methods, which you can then utilize to elevate privileges if these credentials are valid.

Some of the common services are:

• Remote Desktop Protocol (RDP)
• Windows Remote Management (WinRM) (If it is enabled)
• Server Message Block (SMB)
• Windows Management Instrumentation (WMI)
• Virtual Network Computing (VNC) (If it is enabled)

To identify a valid authentication method, you can use NetExec.

This is an example of using the SMB service to authenticate against the workstation and execute a command:

nxc smb <ip> -u <username> -p '<password>' -x whoami

Outcome:

Mitigation

If credentials have been accidentally committed to the repository, consider rewriting history to remove them entirely. Tools like git filter-branch or git filter-repo can help sanitize the commit history.

Moreover, create a .gitignore file and include patterns for files or directories that contain sensitive information. This prevents them from being accidentally committed to the repository.

Last but not least, change the leaked account credentials immediately.

References

• Git diff Documentation
• Remove sensitive files and their commits from Git history by Stackoverflow
• Why secrets in git are such a problem - Secrets in source code by Gitguardian