LookOut Discovering RCE and Internal Access on Looker (Googl...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout
• Blog Title: LookOut: Discovering RCE and Internal Access on Looker (Google Cloud & On-Prem)
• Suggested Section: Pentesting Web -> (new or existing) Git/GitOps integration abuse / CI-like features abuse (e.g., add a section on Git hooksPath injection + native-git trigger + race), and cross-link to "File Inclusion/Path traversal" + "Race Condition" + "SQL Injection (MySQL error-based)"

🎯 Content Summary

LookOut: Discovering RCE and Internal Access on Looker (Google Cloud & On-Prem)

Source: Tenable Research (LookOut) blog post dated February 4, 2026.

Scope: Two vulnerabilities in Google Looker (not Looker Studio) that can lead to (1) remote code execution on the Looker server via a multi-primitive Git hooks chain and (2) full internal MySQL metadata DB exfiltration via an au...

🔧 Technical Details

1) Git hooksPath override → hook execution → RCE: If an application writes/rewrites a Git repo’s .git/config and concatenates user-controlled input into hooksPath, an attacker may inject traversal (e.g., ../../..) to redirect hooks to an attacker-chosen directory. To weaponize, ensure the server populates that directory with a hook file named like pre-commit and guarantee the executable bit is preserved across clones by setting it in Git metadata (e.g., git update-index --chmod=+x <file>, which stores mode 100755). Then trigger a native Git action that runs hooks (e.g., git commit) to execute the payload.

2) Create prerequisite directories by abusing clone destination/path controls: When a server-side “clone dependency” feature uses user-influenced paths (e.g., via dependency fields like ref or other parameters that affect...

🤖 Agent Actions

Updated HackTricks with Looker-derived techniques:

• Expanded pentesting-web/git.md with a server-side Git integration abuse section detailing hooksPath traversal, forced directory creation via clone paths, executable hook preparation (git update-index --chmod=+x), identifying native Git execution paths vs. JGit, and racing sanitization writes. Added cross-links to path traversal and race condition guidance plus referenced the Tenable LookOut blog.
• Augmented MySQL injection page with an error-based exfiltration pattern using updatexml() + concat() + LIMIT/OFFSET to leak data through XPATH errors, and updated references with the LookOut source.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> (new or existing) Git/GitOps integration abuse / CI-like features abuse (e.g., add a section on Git hooksPath injection + native-git trigger + race), and cross-link to "File Inclusion/Path traversal" + "Race Condition" + "SQL Injection (MySQL error-based)"".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0