KagisoSec_
Service bank
CI / CD 3690/tcp 80/tcp

Subversion (SVN)

aka subversion

Apache Subversion version control, svnserve on 3690. The repository's full history is the loot — secrets deleted in a later commit are recovered by checking out an earlier revision.

ci-cd version-control credentials

Ports

PortProtoNotes
3690tcpsvnserve protocol
80tcpHTTP(S)-backed repos (DAV)

Fingerprint

  • svn:// service on 3690; `svn info <url>` returns the repo UUID + revision
  • Exposed .svn/ directory over HTTP

Key files

PathHoldsSensitive
.svn/wc.db working-copy metadata, sometimes cached creds sensitive

Exploitation primitives

  • `svn checkout` the repo and read every file + commit message
  • Walk history (`svn log -v`) and recover deleted secrets with `svn up -r <N>` / `svn cat -r <N>`
  • Exposed .svn/ over HTTP → dump source with a ripper, exposing hard-coded creds

Overview

SVN keeps every revision of a repo, so a password committed once and “removed” later is still in history. svnserve listens on 3690.

Enumerate and check out

svn info svn://<TARGET>
svn checkout svn://<TARGET>/repo

Mine the history

List every change with messages:

svn log -v svn://<TARGET>/repo

Recover a secret deleted in a later revision:

svn up -r 2 && cat deleted_secret.txt

Hardening

Don’t commit secrets (rewrite history if you do), require auth on svnserve, and never expose .svn/ over the web server.

References