Attack Defense – DevSecOps

Continuing with the DevOps theme. Today I will be trying out some of the DevSecOps labs that are offered by Follow the blue dots.

Target Discovery

Basic nmap ping scan to identify our target




Now that we know our target IP. Lets look at the lab objectives:

As the port scan shows us – port 80 is open on our target. So lets focus there. As usual, first step is to look for discovereable content. Lets use DIRB and see if there is any low hanging fruit that could contain a password.


Bingo! “.Git” that’s our focus.

Head over to and clone it locally. This is the toolkit we are going to use to complete to rest of the lab. The idea here is to first dump git to our local machine, extract it and look for a password (hopefully left in the repo)


./ dump


./ /root/tools/GitTools/Dumper/dump/ extract


We have extracted our dump taken from the web server at port 80. Its time to look for potentially sensitive files.

Config.php – Bingo!