Recently HackerOne had incident with public GitHub repositories containing POCs and other funny stuff to 0days (including RCE) in customers infostructure.

So here is basic workflow how to find company’s public secrets:

1. Get list of domains
2. Information gathering - understand company
   Here you should grasp how company deal with their codebase. Is it simple local git repo? Do they have internal git server? Do they use Github/gitlab/…?
   • Search whom they hire/hired - in most cases its your main source of info. Read description carefully. If they have DevOps positions - likely they have internal git server.
   • Bruteforce subdomains (for public git servers)
   • Crawl domains for email addresses
   • Use google dorks to find other subdomains - use sd-goo
   • Use google dorks to find emails - "@example.com"
   • Use google dorks for company name mentions on other sites, they might be related
   • Use a little OSINT - search for company developers emails, social profiles
   • If company have blog - read blog, maybe here some dev info
   • (worst case scenario) If you have no idea - impersonate someone and use social engineering. Apply for job position, ask questions at interview.
3. The Great Git Hunt
   • Gather git/docker public servers:

   https://github.com/
   https://launchpad.net/
   https://gitlab.com/explore
   https://gitea.com/explore/repos
   https://savannah.nongnu.org/search/
   https://codeberg.org/explore/repos
   https://hub.docker.com/
   https://huggingface.co/
   <your national git server>
   ...
   

   • search for organizations containing company name or domains
   • search for users containing company name,emails,domains
   • enumerate users with company email addresses
   • search for any mentioning of company name/domains in code/issues
   • for found users - check their organizations, check if they have profiles on other platforms, use WebArchive, to check what they have deleted
   • for orgs - check followers and members
4. Download it all
   If you find reosurce that connected with company - download all git repos of associated user just in case it would be deleted
   https://github.com/rkooyenga/git-clone
5. Exploit
   • Secrets - use gitleaks and semgrep to find secrets/keys in repositories. If it seems that secrets were there and have been removed - try web archive.
   • Vulnerabilities - if you find code that is used by company - use SAST tools to find vulnerabilities in it. Setup lab to research manually
   • Check commit/pull history - it may have interesting comments or modifications by other users (repeat steps 4-7 for them if needed)
   • Check issues, you may find here some misbehavior that can be a vulnerability
6. Monitor it
   Start monitoring those users for new repos, and repos for commits
   For that you can use RSS (check RSSHub Radar extensions) or email subscription (account needed) or monitor site via other solutions git-topic (changedetection looks great)

in fact this entire post is a reminder to automate this proccess and make a script in a future