Information Disclosure Labs Overview

Tools Used:

1. Burp Interceptor, Repeater and Intruder

The labs surrounding information disclosure are quite easier compared to other topics. Viewing source code, robots.txt file ( to view routes that are to be ignored or allowed to scrape ), error messages and comments in source were some of the way to gather information.

But one lab which particularly involved exposed git file made it fun to work on the said lab.

Lab Infoleak in version control history

1. Here we first get the .git file on path sitename/.git
2. Then we download the git repo itself by using command

   wget --mirror -I .git https://ace11f441e93d9aac08983a50027004a.web-security-academy.net/.git
   

3. Check previous commit messages.
4. One of the commit message consisted admin password and we already knew admin username which is admin