CyberCheatsheets

Git Cheat Sheet

Version control CLI for cloning repos, hunting exposed secrets in history, and recovering source during web assessments.

Utilities & ShellsreconsecretsvcsUpdated 2026-06-02

Overview

Git tracks source history. Misconfigured .git exposure lets attackers rebuild repositories and mine commits for credentials, API keys, and internal paths — common in web pentests and CTFs.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

sudo apt install -y git
git --version

Essential commands

Clone

git clone https://github.com/org/repo.git
git clone user@host:/path/repo.git

Status / log

git status
git log --oneline -20

Show file at commit

git show HEAD:config.php

Common workflows

Dump with git-dumper

pip install git-dumper
git-dumper https://target/.git/ ./loot/
cd loot && git checkout .
git log -p | grep -iE 'password|api_key|secret'

Manual wget recovery (if dumper fails) —

wget -r -np -nH --cut-dirs=1 https://target/.git/
git checkout -f

Search entire history for secrets —

git log -p | grep -i password
git secrets --scan  # if installed
trufflehog git file://./repo

All commits touching file

git log --all --full-history -- env.production

Recover deleted file —

git log --diff-filter=D --summary
git checkout COMMIT_HASH^ -- path/to/deleted.php

Branches and stashes —

git branch -a
git checkout develop
git stash list
git stash show -p stash@{0}

Submodule / config leaks —

cat .git/config
git submodule update --init --recursive

Flags reference

clone URL

Copy repository

log -p

Patch per commit

show REF:PATH

File at revision

checkout BRANCH

Switch branch

reset --hard ORIGIN

Discard local (careful)

reflog

Recover lost commits

grep -r pattern $(git rev-list --all)

Search all commits

Tips

  • .git/HEAD + objects/ exposure is enough for reconstruction — test / .git/HEAD (no space).
  • Developers commit .env then delete — still in history; use git log -p -- .env.
  • For GitHub/GitLab APIs use tokens with least privilege during authorized audits.
  • After dump, run gitleaks / trufflehog on full tree.

References

Related cheat sheets