Case file

Subdomain OSINT, GitHub footer leak, and commit-history secret

Foundations OSINT engagement: marvenly.com → uat-testing subdomain; footer username notvibecoder23 → GitHub repo; git log and older commits recovered email, abandonment note, and buried artifact.

Foundations18 minOSINT · Git · Information Disclosure
01

Engagement summary

Public subdomain and GitHub history for marvenly_site exposed developer email and a secret removed from HEAD but still in commit 33c59e5.

DEV DIARIES started from domain marvenly.com. Subdomain discovery found uat-testing.marvenly.com. The UAT footer leaked username notvibecoder23; Google → GitHub profile with marvenly_site. Cloning and git log revealed freelancedevbycoder23@gmail.com and a commit message about abandonment after a payment dispute. An older commit (33c59e5…) still contained the engagement artifact THM{g1t_h1st0ry_n3v3r_f0rg3ts}.

Business impact

Git history never forgets secrets deleted from the tip. Rotate any credential that ever hit a public repo; use secret scanning and history rewrite (or abandon the repo) when leaks occur. Keep UAT off the public internet without auth.

02

Subdomain to GitHub commit archaeology

Enumerated UAT, cloned repo, recovered email and historical secret.

OPERATOR · OSINT

savvy@lab:~$ # subdomain enum marvenly.com → uat-testing.marvenly.com

savvy@lab:~$ curl -s https://uat-testing.marvenly.com/ | grep -i coder

notvibecoder23

savvy@lab:~$ git clone https://github.com/notvibecoder23/marvenly_site/ && cd marvenly_site && git log --oneline

freelancedevbycoder23@gmail.com # author email

savvy@lab:~$ git show 33c59e5feedcbcbfee7a1f6d3a435225698f616f

THM{g1t_h1st0ry_n3v3r_f0rg3ts}

Remediation

Enable org-wide secret scanning and push protection. Auth-gate UAT. Purge sensitive commits or rotate and treat as burned.