Dev Diaries (TryHackMe)
Introduction
The Dev Diaries challenge simulates a real-world scenario: a client's website was built by a freelance developer who disappeared without handing over the source code. With only the primary domain as a starting point, the goal was to use OSINT techniques to recover as much information as possible — subdomains, developer identity, and any traces left behind in public repositories.
The challenge touches on subdomain enumeration, web archive recon, GitHub OSINT, and Git commit history analysis. No exploitation involved — just following the breadcrumbs developers unknowingly leave in public spaces.
Challenge
We have just launched a website developed by a freelance developer. The source code was not shared with us, and the developer has since disappeared without handing it over.
Despite this, traces of the development process and earlier versions of the website may still exist online.
You are only given the website's primary domain as a starting point: marvenly.com
Answer the questions below
What is the subdomain where the development version of the website is hosted?
The thought was to try to do subdomain enumeration. None of the categories of these first sets of commands worked:
curl -s "https://crt.sh/?q=%25.**target.com**&output=json" | jq -r '.[].name_value' | sort -u
subfinder -d **target.com** -o subdomains.txt
assetfinder --subs-only target.com
theHarvester -d target.com -b all
This one worked:
curl -s "http://web.archive.org/cdx/search/cdx?url=.marvenly.com/&output=text&fl=original&collapse=urlkey" | sort -u
https://uat-testing.marvenly.com/ https://uat-testing.marvenly.com/favicon.ico
What is the GitHub username of the developer?
visited the subdomain of marvenly.com and found the github username of the developer.
What is the developer's email address?
I cloned the GitHub repository that was on their GitHub profile and ran a git log command, this enables me to find their email address:
git log
What reason did the developer mention in the commit history for removing the source code?
Looking through the commits to the repo one of the commit messages states the reason why the project was abandoned:
What is the value of the hidden flag?
Through one of the commits, we find the hidden signature which is the flag:
Conclusion
This challenge is a clean example of how much a developer unknowingly exposes through normal workflow habits. The repository was never made private, and no attempt was made to sanitize commit history — which meant a real name, email address, and even the reason for abandoning the project were all sitting in plain sight via git log.
Why This Matters for Developers
Starting from just a domain, standard OSINT techniques surfaced:
A staging subdomain via Wayback Machine
A GitHub username from the live site
A real email address baked into commit metadata
A commit message documenting a payment dispute — essentially a private conversation left public
Git history is immutable by design. Even if a repo is later deleted or made private, anyone who cloned or cached it before that point retains full history. A commit message is not a private note — it is a permanent, searchable artifact.
Remediation for Developers
Use GitHub's no-reply email (
username@users.noreply.github.com) for commits to prevent real email exposureEnable "Block command line pushes that expose my email" in GitHub settings
Treat commit messages as public documentation — never include sensitive context
If a repo must be cleaned, use
git filter-branchorgit filter-repobefore it ever goes public
The real lesson here is not just technical — it is that OSINT does not require exploiting anything. Public information, assembled carefully, tells the full story. In this case it told us who built the site, how to contact them, and exactly why the working relationship ended.
