Hunt for Secrets in Git Repos
A walkthrough demonstrating the importance of preventing credentials being committed to git repositories.
Last updated
Was this helpful?
A walkthrough demonstrating the importance of preventing credentials being committed to git repositories.
Last updated
Was this helpful?
CTF Source:
In this walkthrough, we'll discover a set of AWS access keys (credentials) previously committed to GitHub and later removed. However, since the credentials were never rotated/deleted, they're still usable, and we can find these in previous commit histories. We'll then use these credentials to access sensitive data from an S3 bucket.
This serves as our target. We're going to download it locally and run a secrets scanning tool called .
Download the repo: git clone https://github.com/huge-logistics/cargo-logistics-dev.git
Install trufflehog: pip install trufflehog
Install awscli: brew install awscli (mac) apt install awscli (linux)
Trufflehog is a tool for finding secrets, but other solutions like exist. It's good to have a tool bag of useful tools as each will work differently and might discover findings missed by others.
We'll start by scanning the repository with trufflehog.
After running, we found AWS access keys! AKIAWHEOTHRFSGQITLIY:IqHCweAXZOi8WJlQrhuQulSuGnUO51HFgy7ZShoB
We also discovered the filename (log-upload.php) containing these credentials and the commit (Delete log-s3-test directory) it was added from.
Let's set up our awscli tool with the credentials we found, aws configure. We'll use the region us-east-1 as discovered in the code above but we can also find this in the headers from a curl command:
Next, we can list the bucket contents like so:
Next, we can download the contents of the S3 bucket.
Finally, we can get the Flag contents and find some plaintext PII data!
As was demonstrated, hard-coded credentials in code are never a good thing. Despite the credentials getting removed from the file, they still existed in the git commit history. Since these credentials were never rotated/deleted, it led to a compromise of PII data stored in an S3 bucket.
Several scanners are checking GitHub and others regularly for credentials. While Amazon and other "good" vendors or users might alert you after discovering your leaked credentials, plenty of users with malicious intent are harvesting your credentials.
If we examine that and related file in the GitHub repo, we can see this.
It's important to scan your code with tools like before committing. Git-secrets in particular will hook into commits and ultimately prevent the commit from occuring if credentials are discovered.
on what to do when AWS credentials get exposed.
