# Dev Diaries (TryHackMe) ## Introduction The [Dev Diaries](https://tryhackme.com/room/devdiaries) challenge simulates a real-world scenario: a client's website was built by a freelance developer who disappeared without handing over the source code. With only the primary domain as a starting point, the goal was to use OSINT techniques to recover as much information as possible — subdomains, developer identity, and any traces left behind in public repositories. The challenge touches on subdomain enumeration, web archive recon, GitHub OSINT, and Git commit history analysis. No exploitation involved — just following the breadcrumbs developers unknowingly leave in public spaces. ## Challenge We have just launched a website developed by a freelance developer. The source code was not shared with us, and the developer has since disappeared without handing it over. Despite this, traces of the development process and earlier versions of the website may still exist online. You are only given the website's primary domain as a starting point: [**marvenly.com**](http://marvenly.com) ### Answer the questions below What is the subdomain where the development version of the website is hosted? The thought was to try to do subdomain enumeration. None of the categories of these first sets of commands worked: ```json curl -s "https://crt.sh/?q=%25.**target.com**&output=json" | jq -r '.[].name_value' | sort -u subfinder -d **target.com** -o subdomains.txt assetfinder --subs-only target.com theHarvester -d target.com -b all ``` This one worked: ```shell curl -s "http://web.archive.org/cdx/search/cdx?url=.marvenly.com/&output=text&fl=original&collapse=urlkey" | sort -u https://uat-testing.marvenly.com/ https://uat-testing.marvenly.com/favicon.ico ``` ![](https://cdn.hashnode.com/uploads/covers/5f4a98085ee1ba597542e097/ecae4912-2459-4ee3-a207-59675357a1da.jpg align="center") What is the GitHub username of the developer? visited the subdomain of `marvenly.com` and found the github username of the developer. ![](https://cdn.hashnode.com/uploads/covers/5f4a98085ee1ba597542e097/bb589a50-c060-40e4-a575-65d7a7471b65.png align="center") What is the developer's email address? I cloned the GitHub repository that was on their GitHub profile and ran a `git log` command, this enables me to find their email address: ```shell git log ``` ![](https://cdn.hashnode.com/uploads/covers/5f4a98085ee1ba597542e097/94bf6950-1c7f-4236-9e35-4a61cadde4c8.jpg align="center") What reason did the developer mention in the commit history for removing the source code? Looking through the commits to the repo one of the commit messages states the reason why the project was abandoned: ![](https://cdn.hashnode.com/uploads/covers/5f4a98085ee1ba597542e097/5d7942a1-e9c5-4f95-965c-4b1c15a466d3.png align="center") What is the value of the hidden flag? Through one of the commits, we find the hidden signature which is the flag: ![](https://cdn.hashnode.com/uploads/covers/5f4a98085ee1ba597542e097/4442755c-ab79-4756-9281-1f158d9cc326.png align="center") ## Conclusion This challenge is a clean example of how much a developer unknowingly exposes through normal workflow habits. The repository was never made private, and no attempt was made to sanitize commit history — which meant a real name, email address, and even the reason for abandoning the project were all sitting in plain sight via `git log`. ### Why This Matters for Developers Starting from just a domain, standard OSINT techniques surfaced: * A staging subdomain via Wayback Machine * A GitHub username from the live site * A real email address baked into commit metadata * A commit message documenting a payment dispute — essentially a private conversation left public Git history is immutable by design. Even if a repo is later deleted or made private, anyone who cloned or cached it before that point retains full history. A commit message is not a private note — it is a permanent, searchable artifact. ### Remediation for Developers * Use GitHub's no-reply email (`username@users.noreply.github.com`) for commits to prevent real email exposure * Enable "Block command line pushes that expose my email" in GitHub settings * Treat commit messages as public documentation — never include sensitive context * If a repo must be cleaned, use `git filter-branch` or `git filter-repo` before it ever goes public The real lesson here is not just technical — it is that OSINT does not require exploiting anything. Public information, assembled carefully, tells the full story. In this case it told us who built the site, how to contact them, and exactly why the working relationship ended.