GitHub Gist Recon

The art of finding information leaks in GitHub Gists and elsewhere

Information Gathering, commonly referred to as Open Source Intelligence (OSINT), is a big part of any RedTeam activity, Bug Bounty Hunting and other types of security testing exercises. It is the first and perhaps the most important phase of a successful security engagement. Especially big, but often overlooked part of this phase, is finding leaked passwords and keys in GitHub Gists.

GitHub Gists are simple git projects. Most of these projects are made of a single file therefore often used as a means to share and remember useful information. Because of these properties, Gists can and often contain interesting information about the development practices of the target and sometimes useful information such as passwords, keys, and references to internal and external endpoints.

Getting Started

Finding interesting Gists is not a task you would want to do manually. There are a lot of them and it can quickly get out of hand. You need specialist tooling. Tools such as Recon are particularly useful in such situations.

In this tutorial, we will find the GitHub account associated with the target org, enumerate all members and find all their Gists in search of juicy information.

We begin by launching Recon.

Launch Recon

iFrame Injection

Once Recon is up, add a node by clicking on the PLUS (+) button and set its type to brand or domain. Any type will do for this exercise. Recon is flexible enough to infer the context of the query.

Set the label to github for the target org and confirm. Start typing github in the inspector window (the screen on the right) under the transforms search section until you get a reduced list of compatible transforms matching the search query.

In this example, we have 3 compatible transforms and we just need the one that will enumerate the GitHub members. Click on List GitHub Members to complete the action. Use the popup properties to configure the transform to your needs.

Code Injection

Now we have the graph populated by GitHub's GitHub Members, which not only embed links to profiles but also avatars and their nicks so that we know who is who. This information is particularly useful if we would like to expand the graph beyond the current task. More on this will follow in another tutorial.

The Setup

Gist Analysis

Next, we pull the Gists. Select all GitHub members and click on the List GitHub Gists transform. This action will loop through the selected GitHub members, pull the Gists from their profiles and connect them with the relevant edges building the corresponding graph representation.

Bigger nodes have more edges, i.e they carry bigger weight. This helps us identify what has more importance. Smaller nodes have lesser weight which is useful to find the needle in the haystack.

The Code

There are quite a few Gists in this example. To make them a bit more palatable simply select them all and click on one of the available layout transforms. The Klay transform often works the best at minimal performance costs.

Show Time

The output graph is slightly better and we can easily go through all the nodes by following all relevant links but undoubtfully it is difficult to perform this task at scale. Luckily for us, Recon contains a lot of transforms that can be used to help us solve this little problem. On such transform is the Urlscan Liveshot which will simply screenshot the pages and produce the relevant graph presentation. Let's do this quickly.

Select the Gists we want to screenshot. Find the Urlscan Liveshot transform and pull the trigger.

How should this attack be used

The resulting graph now contains all screenshots which we need for the review process. You can zoom in and out of the graph peaking at each individual image. You can have a bird-eye view as well which also helps to visually inspect the results. You can also navigate to the Images tab to scroll through all screenshot pages.

If you look close enough you will immediately notice leaks such as credentials, common bad development practices and other useful information which could potentially be leveraged in subsequent attacks.

Improving the solution

While having screenshots of web pages are often the best way to scan through a lot of content with minimal effort, sometimes it is better to simply search for it. Navigate to the graph view and expand the filter section. Now we can simply search the graph labels for the information we need. The table will get filtered as we type.

Stored HTML Injection with Rest

Conclusion

In this tutorial we explored a simple method for enumerating a GitHub organization, finding the members and locating their Gists revealing some interesting secrets in return. Now you can try to take this even further by expanding on some of the techniques learned here. Every hacker has their own way of going about OSINT so with practice and a bit of time you will develop your own methods and techniques.