Loop & Roam Records
An independent record label has a clean little website. Two pages deep into recon you find a directory that the deploy script wasn't supposed to send up. The label's designer made one small mistake with `git`, fixed it the next minute, and shipped it anyway.
The Scenario
Loop & Roam was founded in a Detroit garage in 2011 by a bassist named Jovan who got tired of touring and wanted to put out his friends' records. The site is maintained by Aphra, a contract designer who was learning git when she built it. One night in February 2024 she committed a `.env` with prod credentials, noticed an hour later, ran `git rm .env`, and pushed. The deploy script `rsync`s the working tree — including the `.git/` directory — to the public web root.
Challenge Intel
Synopsis
The site serves its `.git/` directory at `/.git/`. A `.env` was committed to history, then deleted in the next commit — the blob is still in the object database. Players reconstruct the repo (git-dumper, or by walking objects), run `git log`, and recover the deleted file with `git show`.
What It Is
On container start, `entrypoint.sh` builds a 9-commit history of the Loop & Roam site. Commit 5 adds a `.env` file containing several plausible production secrets — Stripe, Mailgun, Bandcamp, a Postgres DSN — and the flag is the `INTERNAL_REF` value. Commit 6 deletes the `.env` and adds a `.gitignore`. Commits 7–9 add the rest of the site so the bad commit isn't at HEAD. The Flask app has a `/.git/<path>` route that serves files from `/app/leaked_repo/.git/`, simulating an nginx misconfiguration that exposes `.git/`. The repo's HEAD has the actual site source (templates, static CSS, app.py) — `git checkout` HEAD and a player has a runnable copy of the site.
Who It's For
Players who can already do basic recon (have they tried `/.git/HEAD` yet?) and have git installed. The capstone of the "things people accidentally publish" thread that runs through Web Fundamentals.
Skills You'll Practice
- Spotting an exposed /.git/ on a target
- Reconstructing a repo from web-accessible .git/ objects (git-dumper)
- Reading `git log` for suspicious commit messages
- Recovering deleted files with `git show <commit>:<path>`
What You'll Gain
- Removing a file in git does not remove it from history
- .git/ on a web root is one of the highest-signal recon hits there is
- Web servers must explicitly deny .git/, .svn/, .hg/ — defaults are not enough
Ready to hack Loop & Roam Records?
This challenge is free. Sign up and start hacking.