> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/git/history-analysis/trick-0158.md).

# Credential Harvesting from .git/config

***

Check for local Git repositories and read their configuration file, typically located at `.git/config`. Remote URLs configured within this file can sometimes contain embedded credentials (e.g., `http://user:password@host/repo.git`). Developers accidentally commit configuration files that contain hardcoded credentials.

```bash
cat /var/www/app/.git/config
```

Attackers can leverage search engines like Shodan to identify publicly exposed `.git/config` files. Once a `.git/config` file is located, attackers can download or view its contents. In addition to remote URLs, other sensitive information can be found. Attackers look for publicly exposed `.git/config` files containing AWS credentials, Google Cloud, and Azure credentials, database credentials, API keys, SSH keys, email addresses, and other sensitive information. A simple command can be used to search for common sensitive keywords within the file:

```bash
grep -r --no-dereference -e "password" -e "token" -e "secret" .git/config
```

Attackers can also look for specific patterns related to cloud provider credentials or database connection strings. Discovering such credentials allows for testing them against other services on the target system. For instance, credentials `cody:jh1usoih2bkjaspwe92` found in a remote URL might not work for 'cody', but the password could grant `sudo` privileges for a different user like 'svc'.
