Pwned Labs - Hunt for Secrets in Git Repos

Overview

We created this beginner-friendly lab to showcase a common issue, leaked credentials in git repositories. Your team has been engaged by Huge Logistics to assess their external security. You have been provided with a link to a company repository hosted on GitHub, and are tasked with assessing the security of it any associated company infrastructure.

Scenario

While conducting OSINT on a lesser-known dark web forum as part of assessing your client's threat landscape, you stumble upon a thread discussing high-value targets. Among the chaos of links and boasts, a user casually mentions discovering an intriguing GitHub repository belonging to your client, the international titan, Huge Logistics. A couple of underground researchers hint at having found something but remain cryptic. Your instincts tell you there's more to uncover. Your objective? Dive deep into this repository, trace any associated infrastructure, and uncover any vulnerabilities before they become tomorrow's headline. The clock is ticking. Will you outsmart the adversaries?

Lab prerequisites

Basic Linux command line knowledge

Learning outcomes

Hunting for secrets using git-secrets and Trufflehog
An understanding of how leaked credentials can be prevented and responded to

Real-world context

Leaked credentials in git repositories are a common and real-world security problem. The impact of credentials being made public include compromise of individual systems, or even entire company networks and platforms. Aside from the reputational damage, significant cloud costs can be incurred, and if customer data is leaked as a result of the compromise, fines from regulators can be eye-watering.

Hunt for Secrets in Git Repos

Pwned Labs:
Your cloud security training ground

Privacy Policy | Terms & Conditions

Hunt for Secrets in Git Repos

Pwned Labs:Your cloud security training ground

Privacy Policy | Terms & Conditions

Pwned Labs:
Your cloud security training ground