Challenge 54 ☆☆

Welcome to challenge Challenge 54. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

.gitignore Secret Challenge

.gitignore files help avoid accidental commit of sensitive or irrelevant data into source control. However, sometimes developers mistakenly add sensitive data or secrets as comments or hidden entries within .gitignore.

In this challenge, a developer left behind an encrypted secret in a .gitignore file comment. Even though encrypted, it highlights how easy it is to forget critical secrets in accessible locations.

Your goal is to find and decrypt this forgotten secret.

Note

The secret is encrypted using AES-256-CBC and with an IV. Use the key found in ".gitignore" to decrypt it. We used the following command for encryption:

echo -n "<you will have to find out>" | openssl enc -aes-256-cbc -K <you will have to find out> \
  -iv 30313233343536373839616263646566 \
  -nosalt -base64 -e
Answer to solution :

The secret is hidden within the .gitignore file as an AES-256-CBC encrypted.

Follow these steps to decrypt the secret:

  1. Locate the encrypted comment and the key to decrypt it in .gitignore.

  2. Use OpenSSL to decrypt:

     echo "h0vRDUS3VDN2gwfd1oftcMtD/YlKE0YfHLTvyk/lrY4=" | openssl enc -aes-256-cbc -K 6b3b913c09d62238b9b8c0cc78904e7e1f9a99fd0a04ebae50a8a9881d452bbd \
  -iv 30313233343536373839616263646566 \
  -nosalt -base64 -d

Why placing secrets in .gitignore is a security risk?

Developers regularly update configuration files like .gitignore, occasionally leaving sensitive information behind—such as passwords, tokens, or critical file paths. These secrets, even encrypted, pose risks:

  • Attackers could discover and decrypt the secrets.

  • Forgotten secrets in public files indicate poor security practices and weak secret management.

This challenge demonstrates the importance of code reviews and ensuring secrets are never accidentally committed or left behind.


Previous
Go the main page
Next
0