Lab can be found at: https://webverselabs-pro.com/
We load the challenge and we’re greeted with a website that is promoting bands, tours, new music releases:
The lab says there was an accidental .git push and we can see .git is indeed exposing critical files, including all source code, deleted source code, secrets and more:
I downloaded and set up git-dumper to reconstruct the files so we can look at commit history:
(the .gitgot directory is where I was storing the data)
From here, I ran the following command to look for any flags, secrets and of course, WebVerse flags within the data:
git log -p --all | grep -iE "(flag|secret|WEBVERSE)" | head -50
Thanks for following along!
