🐙 Hacking GitHub – A Beginner’s Guide to Finding the (Not So) Hidden Stuff

Table of contents

Hey everyone!
Hope you're all doing well and still not accidentally committing your .env files 😅

Before we dive in, just a quick note: I'm currently working on the next post for the blog! It's going to be all about hacking in Docker while building a security tool in Rust. A mix of learning, building, and breaking things, so stay tuned. I hope you'll enjoy it! 🚀

This week, we're diving into GitHub but not just as a place where devs hang out and push code. We’re treating it like a public treasure map for recon, and you're about to learn how to read it.
If you're new to security or bug hunting, this is a great place to start. Let's go 👇

🧩 So… What Is Git? And Why Do Hackers Care?

At its core, Git is a version control system. It tracks changes in files over time so developers can:

• Work together without stepping on each other’s toes,
• Roll back when things break (which they do),
• And keep a complete history of everything.

Git stores data in a structure of commits, where each one is like a snapshot of the project at that moment. These snapshots live in a hidden .git directory and include all file contents, history, metadata, and links to parent commits.

Now, GitHub is just a platform built on top of Git. It hosts your Git repositories online and adds features like:

• Web-based collaboration,
• Pull requests and issues,
• Actions for automation (CI/CD),
• And, occasionally… juicy developer mistakes.

Why does this matter for us?
Because all of that metadata, history, and collaboration?
It can leak things. Big things.

🔍 GitHub Dorking (The Google Hacking of GitHub)

GitHub’s search engine is surprisingly powerful. You can use advanced queries (a.k.a. dorks) to find files that probably shouldn't be public.

Some juicy examples:

filename:.env
filename:id_rsa
filename:credentials AWS
extension:pem private

🔧 Tools to help automate this:

• github-dorks
• github-search

Try them. It’s wild what you’ll find just sitting out there.

💾 Fuzzing for .git/ – Downloading Repos in Production

One of the most overlooked but real-world exploitable issues is when developers leave the .git/ folder exposed in production servers.

If you fuzz URLs and find something like:

https://example.com/.git/

...congrats. You can often dump the entire source code using git-dumper:

git-dumper https://example.com/.git/ ./dumped-repo

This fetches:

• The full history,
• Commit logs,
• Deleted secrets (yep),
• And sometimes hardcoded credentials to staging or prod.

Pair this with tools like ffuf or dirsearch to fuzz for the .git/ path, and you've got a reliable technique to add to your recon routine.

🧠 Dig Through the Commit History

Even if a developer deletes a secret, Git keeps it in the commit history.

Try this:

git log -p | grep -i "password\|secret\|token"

Or use scanners that do it for you:

• TruffleHog
• Gitleaks

These tools can even scan Git blobs, packfiles, and old deleted commits.

💣 Recover Deleted Files

Git is like a clingy ex—it doesn’t let go of anything.

You can find deleted files using:

git log --diff-filter=D --summary

And for hidden or unreachable stuff:

git fsck --unreachable --dangling

Then extract with:

git cat-file -p <blob-hash>

I've found .env files, API keys, and even production DB creds sitting quietly in those forgotten corners.

⚙️ GitHub Actions – Your CI/CD Playground

Many repos use GitHub Actions to automate builds and deployments. But misconfigured workflows = goldmine for attackers.

Look inside:

.github/workflows/*.yml

Red flags to look for:

• pull_request_target events (can be abused from forks),
• Secrets used without proper validation,
• Dynamic run: commands pulling in untrusted input.

It's a CI/CD Wild West out there.

🧪 Submodules & Internal Clues

Some projects use Git submodules, which can reveal internal tools or private repos.

Check this:

cat .gitmodules

Other files that leak info:

• .npmrc, .pypirc, .dockerignore
• .vscode/settings.json
• .github/ISSUE_TEMPLATE/config.yml

You’ll often find references to internal servers, S3 buckets, test credentials, and even real domains.

📦 Analyzing .pack Files and Blobs

Feeling adventurous?

Git compresses unused data into .pack files. You can extract them using:

git unpack-objects < .git/objects/pack/pack-xyz.pack

And then:

git cat-file -p <hash>

Sometimes scanners miss stuff in compressed blobs. Doing this manually = more finds and more fun.

🧪 Where to Practice GitHub Hacking

Want to get your hands dirty? Here are a few solid places to start:

Labs & CTFs:

• 🧪 TryHackMe – Git Happens
  Great intro to .git folder exposures, how to use git-dumper, and what sensitive info might be lurking in commit histories.
• 🎮 Git-Game
  A terminal-based challenge where you solve puzzles using Git commands. It’s super fun and teaches you to explore branches, tags, logs, and hidden secrets.
• 🧠 Hack The Box – Devzat
  Find an exposed .git folder (no 404s to help you), use git-dumper, and dig through commit history to uncover credentials.
• 🔍 Hack The Box – Editorial
  Commit spelunking at its finest. Find a leaked password, then exploit a vulnerable python-git dependency for remote code execution.
• 🛠 Hack The Box – Craft
  Combines Git repo analysis with leaked JWTs and Git issues. Use tools like TruffleHog or go full manual. Realistic and very satisfying.
• 💾 Hack The Box – Pilgrimage
  Classic .git leak. Dump the repo, analyze the code, and use what you find to break in deeper.
• ⚙️ Hack The Box – Bitlab
  GitLab-based box with JavaScript-leaked creds, Git hooks for privesc, and a full repo-to-root flow.
• 🐙 Hack The Box – OpenSource
  Gitea box where you’ll explore commit history for keys, exploit GitSync automation, and craft a sneaky pre-commit privesc.

Tools:

• git-dumper
• truffleHog
• gitleaks
• github-search
• ffuf + .git wordlists

Dork collections:

• techgaun/github-dorks

🧭 Final Thoughts

GitHub isn't just a platform for devs. It's a hacker’s playground full of leftover tokens, config files, and developer breadcrumbs.

If you’re just getting started:

• Learn Git internals. Understanding .git gives you power.
• Practice with fuzzing + git-dumper.
• Explore commits and deleted files regularly.

Git doesn’t forget. Use that to your advantage.

Catch you next week,

Ruben

Chapters

Inside the Request: From Basic SSRF to Internal Takeover

Previous Issue

arrow_upward