July 17, 2026
Lab 3 : Source code disclosure via backup files
Lab Objective
By Zeyad Naguib
1 min read
Lab Objective
The goal of this lab is to locate leaked backup files and extract a hard-coded database password from the disclosed source code.
Step-by-Step Solution
1. Check robots.txt for hidden paths
robots.txt is designed to tell search engine crawlers which paths not to index :
/robots.txt/robots.txtrevealed a disallowed /backup directory.
2. Enumerate the backup directory
Browsing directly to /backup surfaced a file named:
ProductTemplate.java.bakProductTemplate.java.bak
3. Retrieve and read the leaked source file
Navigating to:
/backup/ProductTemplate.java.bak/backup/ProductTemplate.java.bak4. Extract the hard-coded credential
Reading through the disclosed source, the database connection logic contained a hard-coded password used to authenticate against a Postgres database.
5. Submit the solution
I copied the password value, returned to the lab, clicked Submit solution, and entered it. The lab was marked as solved.
Written by Zeyad Naguib,
๐ https://www.linkedin.com/in/zeyadnageeb โ๏ธ https://medium.com/@zeyadnaguib1