A-SEC Blog
Want to Contribute? Check our terms.

Finding a Treasure on Website


What happend to you if you found a Gold? Yes, the answer you will Happy! the same as what I will discuss today through this blog. Today i will teach you how to Finding a Treasure on Website . I will called it "Git Source Code Disclosure".

Requirements tools for explore this Treasure:

- VPS / Bash for Windows :-p

- Httpx ( https://github.com/projectdiscovery/httpx )

- Anew ( https://github.com/tomnomnom/anew )

- Assetsfinder ( https://github.com/tomnomnom/assetfinder )

- GitDumper ( https://github.com/internetwache/GitTools/ )

What is Git?

Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.

Previously I will explain what I will do is only for security purposes, no action / target is harmed.

Let's Dig In!

First, you must have a Shell Access/Terminal/Anything which is can running the Bash System & Golang Language. Because in this tutorial i have to Recommend to you using Linux (VPS,Or Anything)

Installing the Assetfinders (https://github.com/tomnomnom/assetfinder)

For installing Assetsfinders, you must have a Golang Language installed on your Machine.

If you have Go installed and configured (i.e. with $GOPATH/bin in your $PATH):

Command go get -u github.com/tomnomnom/assetfinder

after assetfinder is Installed on machine, test it. It's work? or no?

Command assetfinder --subs-only

If your assetsfinder is working, your Machine will be showed up the domain & subdomain on your targeted. to Make easier you can use this command to auto save the scanned domain.

Command assetfinder --subs-only > rezult.txt

Now you have saved the output which you have scanned the domain before, let's more dig the treasure.

Before you start finding the Treasure, you must have a vulnerable domain which can get the source code. How you know the domain is vulnerable? It's easy. You just add the /.git/HEAD on the domain, example : domain.com/.git/HEAD then see the output like this

or if you have a bulks domain, you can use this command (before using this command, you must installed the HTTPX,ANEW)

Command cat yourlist.txt  | sed 's#$#/.git/HEAD#g' | httpx -silent -content-length -status-code 301,302 -timeout 3 -retries 0 -ports 80,8080,443 -threads 500 -title | anew

The output of this command, you will showed up where is the domain is vulnerable or no. You can see the status of code is 200 

You have the vulnerable domain? Lets Find the Treasure!

Open your GitTools, then navigate to the Git Dumper, then execute the command below:

./gitdumper.sh https://target.com/.git/

In this stage, you only need to add the domain up to /.git/ without the HEAD , then navigate the extract folder which you want so save the Object.

Note: there are some domains that cannot be extracted data, usually it produces output like this and does not issue objects

Fail Extracted the Git, Only until /refs/wip/index/refs/heads/master (not extracted the object)

Successfully Extracted the Git, Wait until it finished.

Author : TuZKi666