Paper Trail
An independent investigative-journalism site by a reporter who deploys her own builds. Something about the way the docroot was published looks off.
The Scenario
Paper Trail is Mara Quinn's investigative-journalism site. She files records requests, writes long-form pieces about municipal infrastructure, and publishes from a laptop. After a contractor "tidied up" her deployment, an editor noticed the site was serving something it shouldn't be. Start at the public landing page and find what's leaking — and what that leak lets you reach.
Challenge Intel
Synopsis
An exposed .git directory ships the full app source — including a build endpoint that's live in production but isn't linked from the UI.
What It Is
The Apache docroot was deployed with `cp -r` from a working copy that still contained the `.git/` directory. `.git/HEAD`, `.git/config`, and the loose objects under `.git/objects/` are all reachable. Running `git-dumper` against the site rebuilds the working tree. The recovered tree contains `admin/build.php`, which is also present on the live server but is not linked from any navigation. Visiting `/admin/build.php` directly returns the contents of `/flag.txt`.
Who It's For
Players who have used Burp or curl to fetch non-linked files but haven't yet used git-dumper to reconstruct a source tree from an exposed `.git/`.
Skills You'll Practice
- Detecting exposed .git/ directories via /.git/HEAD or /.git/config
- Using git-dumper (or equivalent) to reconstruct the working tree
- Inspecting recovered source for unlinked routes
What You'll Gain
- A real workflow for exploiting one of the most common static-asset misconfigurations
- An intuition for why 'we delete the route from the menu' isn't a fix
Ready to hack Paper Trail?
Upgrade to Pro to unlock this challenge and the full library.