📜 OverTheWire Bandit Level 29: Finding Secrets in Git History

Level 29 builds on what you learned about Git in Level 28, but adds a critical security lesson: secrets removed from files are still accessible in Git history. This level teaches you how to view commit history, examine changes in commits, and understand why "deleting" sensitive data from Git doesn't actually remove it.

Level 29 teaches you:

• Viewing Git commit history
• Examining changes in commits
• Understanding Git diffs
• Finding secrets in old commits
• Why deleted files aren't really deleted in Git

If you've made it this far, you understand Git basics. Now you're learning about Git history—a common source of exposed secrets in real-world security assessments.

---

🎯 The Objective

After logging into bandit28, your goal is to find the password for Level 29. There's a Git repository at ssh://bandit28-git@localhost/home/bandit28-git/repo. The password for the user bandit28-git is the same as for the user bandit28.

What Level 29 teaches:

• Viewing Git commit history
• Examining commit changes
• Understanding Git diffs
• Finding secrets in history
• Why Git history matters for security

The challenge: The README file shows a blank password field, but the password was in a previous commit. You need to check Git history to find it.

---

🔍 Understanding the Problem

Let's start by connecting to Level 28:

sshpass -p `cat bandit28` ssh bandit28@bandit.labs.overthewire.org -p 2220

Once connected, let's clone the repository:

mkdir -p /tmp/m1k3
cd /tmp/m1k3
git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
cd repo

The problem: When you read the README file, the password field is blank. But Git keeps history of all changes, so the password is still accessible in a previous commit.

---

🧠 Understanding Git History and Commits

Here's what's happening: Git stores a complete history of all changes. Even if you "delete" something, it's still in the history.

How Git History Works

Git commits are snapshots of your repository at specific points in time:

• Each commit has a unique hash
• Commits store what changed
• History goes back to the beginning
• Nothing is truly deleted

Why this matters:

• Secrets in old commits are still accessible
• "Deleting" a file doesn't remove it from history
• Commit history can expose sensitive information
• This is a common security issue

Understanding Git Log

git log shows commit history:

• Lists all commits
• Shows commit messages
• Shows who made changes
• Shows when changes were made

Common options:

• git log — Show all commits
• git log -p — Show commits with diffs (changes)
• git log -1 — Show only the most recent commit
• git log -p -1 — Show most recent commit with changes

Understanding Git Diffs

A diff shows what changed between commits:

• + lines — Added content
• - lines — Removed content
• Context lines — Unchanged content

In Level 29: You'll see a commit where the password was removed (changed from a value to blank). The diff will show the old password value.

---

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 28

sshpass -p `cat bandit28` ssh bandit28@bandit.labs.overthewire.org -p 2220

Step 2: Get the Password Ready

You'll need the bandit28 password for the Git clone:

cat /etc/bandit_pass/bandit28

Copy this password.

Step 3: Create Temporary Directory and Clone

mkdir -p /tmp/m1k3
cd /tmp/m1k3
git clone ssh://bandit28-git@localhost/home/bandit28-git/repo
cd repo

When prompted, paste the bandit28 password.

Step 4: Check Repository Contents

ls -la

You should see a README.md file.

Step 5: Read the README File

cat README.md

What you'll see:

# Bandit Notes
Some notes for bandit30 of bandit.

## Credentials

- username: bandit29
- password: [blank or removed]

The problem: The password field is blank! But Git history might have it.

Step 6: View Git Commit History

Let's see the commit history:

git log

What you'll see:

commit abc123def456... (HEAD -> master, origin/master, origin/HEAD)
Author: ...
Date: ...

    fix info leak

commit xyz789uvw012...
Author: ...
Date: ...

    add missing data

The key: There are multiple commits. One says "fix info leak" — that's probably where the password was removed! The commit before that likely has the password.

Step 7: View Changes in Commits

Let's see what changed in each commit. First, let's see the most recent commit with its changes:

git log -p -1

What -p does: Shows the diff (what changed) What -1 does: Shows only the most recent commit

What you'll see:

commit abc123def456...
Author: ...
Date: ...

    fix info leak

diff --git a/README.md b/README.md
index 1234567..abcdefg 100644
--- a/README.md
+++ b/README.md
@@ -5,4 +5,4 @@ Some notes for bandit30 of bandit.
 ## Credentials

 - username: bandit29
-- password: [ACTUAL_PASSWORD_HERE]
+- password: 

The key: The - line shows what was removed (the password), and the + line shows what was added (blank). The password is in the - line!

Step 8: View All Commits with Changes

If you want to see all commits with their changes:

git log -p

This shows all commits with full diffs. Look for the commit that removed the password.

Step 9: Alternative: View Specific Commit

You can also view a specific commit:

git show HEAD

Or view the previous commit:

git show HEAD~1

What you'll see: The full commit with all changes, including the password that was removed.

Step 10: Extract the Password

From the git log output, find the line that shows:

- password: [PASSWORD_HERE]

That's your password for Level 29!

Step 11: Save the Password

Copy the password and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit29

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit29 -NoNewline

Step 12: Connect to Level 29

sshpass -p `cat bandit29` ssh bandit29@bandit.labs.overthewire.org -p 2220

---

💡 Understanding Git History in Depth

Let's dive deeper into Git history concepts:

Git Commit Structure

Each commit contains:

• Hash — Unique identifier (e.g., abc123def456...)
• Author — Who made the commit
• Date — When it was made
• Message — Description of changes
• Changes — What files changed and how

Understanding Diffs

A diff shows:

• File names — Which files changed
• Line numbers — Where changes occurred
• Old content — What was there before (-)
• New content — What's there now (+)

Example:

- password: secret123
+ password: 

This shows the password secret123 was removed and replaced with blank.

Why Secrets Persist in Git

The problem:

• Git stores complete history
• "Deleting" a file doesn't remove it from history
• Old commits are still accessible
• Secrets can be recovered

Why this happens:

• Developers commit secrets accidentally
• Secrets removed later are still in history
• Public repositories expose all history
• .git directories can be accessed

---

🔒 Real-World Context

Why does this matter in penetration testing?

Git history is a goldmine for finding secrets:

1. Finding Secrets in History

In real assessments, you might:

• Clone repositories
• Check commit history
• Search for keywords
• Extract old credentials

The technique: Same as Level 29—check Git history for removed secrets.

2. Common Git Security Issues

Secrets in history:

• Passwords in old commits
• API keys that were removed
• Credentials in commit messages
• Configuration files with secrets

Why it's dangerous:

• History is permanent (unless rewritten)
• Public repos expose all history
• .git directories can be accessed
• Old secrets are still valid

3. Real-World Examples

Common scenarios:

• Developer commits password, then removes it
• API key in old commit still works
• Credentials in commit message
• Secrets in deleted files

The skill you're learning: How to analyze Git history to find secrets. This is essential for:

• Finding exposed credentials
• Understanding code changes
• Discovering sensitive information
• Security auditing

---

🛠️ Alternative Methods

Here are different ways to approach Level 29:

Method 1: git log -p (Recommended)

git log -p
# Look through commits for password removal

Pros: Shows all commits with changes Cons: Can be verbose

Method 2: git log -p -1

git log -p -1
# Shows most recent commit with changes

Pros: Focuses on latest change Cons: Might miss if password was removed earlier

Method 3: git show HEAD

git show HEAD
# Shows most recent commit

Pros: Detailed view of latest commit Cons: Only shows one commit

Method 4: git show HEAD~1

git show HEAD~1
# Shows previous commit

Pros: Shows commit before password removal Cons: Need to know which commit to check

Method 5: Search All Commits

git log --all --full-history -p | grep -i password

Pros: Searches all history for password Cons: Might find false positives

For Level 29, use Method 1 or 2 — they're the most straightforward.

---

🚨 Common Mistakes

Mistake 1: Only Reading Current Files

Wrong: Reading README.md, seeing blank password, giving up.

Right: Check Git history—secrets are often in old commits.

Why: Git keeps complete history. "Deleted" content is still accessible.

Mistake 2: Not Understanding Git Log Output

Wrong: Running git log but not understanding what it shows.

Right: Use git log -p to see changes, or git show to see specific commits.

Why: git log alone doesn't show what changed—you need -p for diffs.

Mistake 3: Looking at Wrong Commit

Wrong: Checking the most recent commit when password was removed earlier.

Right: Check multiple commits, especially ones with messages like "fix info leak" or "remove password".

Why: The password removal commit shows the old value in the diff.

Mistake 4: Not Understanding Diff Format

Wrong: Not recognizing that - lines show removed content (which includes the password).

Right: Understand that - shows what was removed, + shows what was added.

Why: The password is in the - line of the diff that removed it.

Mistake 5: Overcomplicating It

Wrong thinking: "I need to restore old files or use complex Git commands."

Reality: Just use git log -p and look for the commit that removed the password. The diff shows the old value.

Solution: Keep it simple—check commit history, find the removal commit, read the diff.

---

💻 Practice Exercise

Try these to reinforce what you learned:

1. Understand git log:

   git log
   git log --oneline
   git log -p
   

2. View specific commits:

   git show HEAD
   git show HEAD~1
   git show HEAD~2
   

3. Search commit history:

   git log --all --grep="password"
   git log -S "password" -p
   

4. Understand diffs:

   git diff HEAD~1 HEAD
   

---

🎓 Understanding Version Control Security

This level introduces version control security concepts:

Why Git History Matters

Security implications:

• Secrets persist in history
• "Deleted" files aren't really deleted
• Public repos expose all history
• History can be accessed by anyone with repo access

Best Practices

To avoid exposing secrets:

• Never commit secrets
• Use .gitignore for sensitive files
• Use environment variables or secrets managers
• If secrets are committed, rewrite history (advanced)

If secrets are exposed:

• Rotate all exposed credentials immediately
• Consider repository history as compromised
• May need to make repository private or delete it

The skill you're learning: How to find secrets in Git history. This is essential for:

• Security auditing
• Penetration testing
• Understanding version control security
• Finding exposed credentials

---

🔗 What's Next?

Level 30 will likely build on Git concepts further, possibly involving branches, tags, or more advanced Git operations.

Before moving on, make sure you:

• ✅ Understand Git commit history
• ✅ Can view commits with changes (git log -p)
• ✅ Understand diff format (- and + lines)
• ✅ Know why secrets persist in Git history

---

📚 Key Takeaways

After completing Level 29, you should understand:

1. Git history — Complete record of all changes
2. Commit diffs — What changed in each commit
3. Secrets in history — Why deleted secrets are still accessible
4. git log -p — View commits with changes
5. Security implications — Why Git history matters for security

---

🎯 Quick Reference

Concept	Explanation	Example
git log	Show commit history	git log
git log -p	Show commits with changes	git log -p
git show	Show specific commit	git show HEAD
Diff	Shows changes	- removed, + added
History	All commits	Nothing is truly deleted

---

🔍 Advanced: Understanding Git Security

If you want to go deeper, here's Git security:

Removing Secrets from History

If secrets are committed:

• Rotate credentials — Most important!
• Rewrite history — Use git filter-branch or BFG Repo-Cleaner
• Force push — Update remote repository
• Warn collaborators — They need to re-clone

Warning: Rewriting history is destructive and complex. Prevention is better than cure.

Finding Secrets in Git

Techniques:

• Check commit history (git log -p)
• Search for keywords (grep -r "password")
• Check all branches (git branch -a)
• Review commit messages
• Check deleted files

In Level 29: The password was in a commit that removed it. The diff showed the old value.

---

Questions about Level 29, Git history, or version control security? Reach out directly:

• Email: m1k3@msquarellc.net
• Phone: (559) 670-3159
• Schedule: Book a free consultation

---

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice