Web Security

PortSwigger Academy - Information Disclosure in Version Control History

This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator user then log in and delete the user carlos.

L0WK3Y
· 5 min read
Send by email
infophreak 2025

Lab Overview


This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator user then log in and delete the user carlos.

Instructions

To solve the lab:

  1. Obtain the password for the administrator user.
  2. Access the admin interface.
  3. Delete the user carlos.

In this blog post, I’ll explore a vulnerability that stems from exposing a .git directory on a production server. By exploiting this misconfiguration, I uncovered sensitive information, including an administrator password, which I then used to complete the challenge by logging in and deleting a user. This post walks through the steps I took to identify and exploit the issue, the underlying vulnerability, and remediation strategies.


Overview of the Challenge

The lab’s objective was to exploit an exposed .git directory to extract sensitive information, including the administrator password, and then log in to delete the user carlos. This challenge highlights how poor version control practices and improper server configuration can lead to severe security risks.


Initial Reconnaissance

The first step in any assessment is reconnaissance. I started by scanning the lab’s directory structure using common tools like Dirbuster to identify hidden or sensitive files and directories.

Before long, the scan revealed the presence of a .git directory:

img

This was the first sign of a serious misconfiguration. The .git directory contains the version control history of the web application’s codebase, including sensitive commits.


Exploring the .git Directory

Navigating to the .git directory in the browser, I was greeted with several files and folders that make up the repository:

img2

One key file is the config file, which contains metadata about the repository, such as remote URLs. While it didn’t reveal anything sensitive initially, I noted it for potential future use.


Cloning the .git Repository

To analyze the full version control history, I downloaded the .git repository to my local machine using wget. If you’re on macOS and don’t have wget installed, you can install it via Homebrew (brew install wget).

wget -r [LAB_URL]/.git

Once the repository was downloaded, I navigated to the .git directory and initialized the sequence of Git commands below to analyze the history.


Investigating the Git Log

Using the git log command, I checked the commit history of the repository. This revealed several commits, including one that especially stood out—the administrator account.

git log

img3

The commit message hinted at changes related to authentication, which seemed like a good lead. My next step was to examine the commit in detail.


Examining Commit History

To dive deeper, I used the git show command to inspect the details of the commits. One commit revealed the following sensitive information:

git show <commit-id>

The commit included the administrator password, which had been hardcoded into the codebase and later removed. However, as is the nature of Git, the credentials remained in the commit history:

img3

With the password in hand, I was able to log in as the administrator and complete the challenge by deleting the user carlos.


Why It's Vulnerable

This lab highlights multiple issues stemming from poor version control practices and server misconfigurations:

1. Exposed .git Directory:

The web server’s .git directory was publicly accessible, allowing anyone to download the repository and analyze its history. This is a critical misconfiguration that should never occur in production environments.

2. Sensitive Information in Version Control History:

The developers committed sensitive credentials (the administrator password) into the repository. Although they removed the credentials in a later commit, Git’s version control design retains the entire history, making the credentials retrievable.

3. Improper Remediation Practices:

Attempting to remove sensitive data by making a new commit is insufficient. Without rewriting the commit history, the sensitive data remains accessible.


The Impact

The consequences of exposing a .git directory can be severe:

  • Credential Leakage:
    Hardcoded credentials, like the administrator password in this case, can be extracted from the repository.
  • Codebase Exposure:
    The entire source code of the application, including potential vulnerabilities, is exposed to attackers.
  • Sensitive Metadata Disclosure:
    The config file and other .git metadata can reveal details about the repository, such as remote URLs and developer information.