Table of Contents
Dev Diaries — TryHackMe CTF Writeup #
Platform: TryHackMe
Category: OSINT / Recon
Difficulty: Easy
Date: 2026-03-18
Author: t0nt0n
Reading time: ~3 min
Reconnaissance #
Only starting point: the domain marvenly.com.
Subdomain enumeration via crt.sh #
Certificate transparency logs at crt.sh revealed all issued certs for the domain:
https://crt.sh/?q=marvenly.com&output=json
Subdomains found:
marvenly.comwww.marvenly.comadmin.marvenly.comuat-testing.marvenly.com← dev/staging version
GitHub recon #
Searching GitHub for "marvenly" surfaced the repository:
notvibecoder23/marvenly_site — a single-file HTML landing page, created January 2026.
Commit history (4 commits, all on 2026-01-20):
| Hash | Message |
|---|---|
e9ce1ce |
Initial commit of the landing page |
33c59e5 |
Removed my signature, ready for deployment |
88baf1d |
The project was marked as abandoned due to a payment dispute |
7a7090d |
Parking the domain until the issue is solved |
Exploitation #
Developer identity #
Git commit metadata exposed the developer's email:
Email: freelancedevbycoder23@gmail.com
GitHub: notvibecoder23
Flag in commit diff #
Commit 33c59e5 ("Removed my signature, ready for deployment") removed a visible footer credit but replaced it with a hidden HTML comment containing the flag:
Commit diff — sensitive content
1<!-- removed the signature, but I'm leaving something as my hidden signature THM{g1t_h1st0ry_n3v3r_f0rg3ts} -->
Answers #
Subdomain (dev version): uat-testing.marvenly.com
GitHub username: notvibecoder23
Developer email: freelancedevbycoder23@gmail.com
Reason for removing source: payment dispute
Flag #
Reveal Flag
THM{g1t_h1st0ry_n3v3r_f0rg3ts}
Tools Used #
- crt.sh — certificate transparency subdomain enumeration
- GitHub search — finding the developer's repository and commit history
What Didn't Work #
dev.marvenly.com/staging.marvenly.com— not in cert logs, connection refusedadmin.marvenly.com— resolves to same marketing page, no separate admin panel
Lessons Learned #
- crt.sh is a fast, passive way to enumerate subdomains without any active scanning
- Git history never forgets — even after content is deleted from a repo, every prior commit diff is permanently public
- Always inspect commit diffs, not just the current state of the code — secrets, flags, and credentials often lurk in removed lines
- Developer email addresses are embedded in git commit metadata and trivially extractable from public repos