> For the complete documentation index, see [llms.txt](https://dev-angelist.gitbook.io/writeups-and-walkthroughs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dev-angelist.gitbook.io/writeups-and-walkthroughs/portswigger-web-security-academy/information-disclosure/common-sources-of-information-disclosure/information-disclosure-in-version-control-history.md). # Information disclosure in version control history ## Description This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the `administrator` user then log in and delete the user `carlos`. ## Solution

Adding `.git` we obtain a version control history:

Deep dive to each dir/file to check if there're some interesting data: #### HEAD

``` ref: refs/heads/master ``` #### CONFIG

``` [user] email = carlos@carlos-montoya.net name = Carlos Montoya ``` #### COMMIT\_EDITMSG

#### /refs/heads/master In the 'Head' page there's a potential path, trying to go there: `/refs/heads/master` there's an alphanumeric string:

``` ff5435104086dbedd8f46b0a70ffb51cca1b1a44 ``` #### /logs/HEAD and remembering COMMIT\_EDITMSG page and searching into others directories, theres a great info into: `/logs/HEAD`

``` 0000000000000000000000000000000000000000 b25706d68b5971f903aadce94f299ef2371ee46f Carlos Montoya 1742510797 +0000 commit (initial): Add skeleton admin panel b25706d68b5971f903aadce94f299ef2371ee46f ff5435104086dbedd8f46b0a70ffb51cca1b1a44 Carlos Montoya 1742510797 +0000 commit: Remove admin password from config ``` #### index Downloading and opening index file there're an encoded text in hex: ``` DIRC\00\00\00\02\00\00\00\02\67\DC\9A\CD\0D\1F\F9\23\67\DC\9A\CD\0D\1F\F9\23\00\00\00\4B\00\31\42\CF\00\00\81\A4\00\00\2E\E2\00\00\2E\E2\00\00\00\25\21\D2\3F\13\CE\6C\70\4B\81\85\73\79\A3\E2\47\E3\43\6F\4B\26\00\0A\61\64\6D\69\6E\2E\63\6F\6E\66\00 \00\00\00\00\00\00\00\67\DC\9A\CD\01\AE\43\06\67\DC\9A\CD\01\AE\43\06\00\00\00\4B\00\31\42\CE\00\00\81\A4\00\00\2E\E2\00\00\2E\E2\00\00\00\58\89\44\E3\B9\85\36\91\43\1D\C5\8D\5F\49\78\D3\94\0C\EA\4A\F2\00\0F\61\64\6D\69\6E\5F\70\61\6E\65\6C \2E\70\68\70\00\00\00\54\52\45\45\00\00\00\19\00\32\20\30\0A\21\54\55\59\44\00\27\91\A4\D2\74\12\BF\6E\9A\6F\29\E9\42\FA\0E\DD\0E\69\1B\C0\88\2E\F4\9C\F4\9F\4A\5B\13\19\96\04\1A\B7sa ``` that in clear text contains interesting data: * `admin.conf` * `admin_panel.php`

Adding those paths, I've not found a solution, so i decided to download the entire git directories and use a dedicated tool. Download Git Dir: `wget -r https://0afe00be03be902083195529004100e5.web-security-academy.net/.git` Now we've download all git files locally, so go there to investigate well (`cd ~/Documents/0a2000e40417d00885e2135600ed00cb.web-security-academy.net/.git`), files are hidden by default, so we can see them using the flag -h `(ls -lah`). It seems the same thing, so we can try to use git commands to check logs: `git log`

Great, only now i've undestand that those values were about git commits, so the first one seems more interesting, explore it using git show command: `git show e06350084adb1d7a44eef13faf0a9cd6cac55bd5`

and finally we obtain the admin password value! Awesome, now we can login us as administrator (`administrator::bohd9ui3rn3yqzgsktq1`)

go to admin portal page:

and delete 'Carlos' user completing the lab.

--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dev-angelist.gitbook.io/writeups-and-walkthroughs/portswigger-web-security-academy/information-disclosure/common-sources-of-information-disclosure/information-disclosure-in-version-control-history.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.