I Hacked My Own Website! (The Github Exploit)

Added: 2026-05-26

[00:00:00]Hello, Hermanos. Welcome back. Today, I'm doing something different. Today, I am hacking my own website. Look at the screen right now. I just built a brand new landing page for my 2026 web hacking masterclass PDF. But I put a lock on it.

[00:00:15]If you go to the site right now, you get hit with this massive countdown timer blocking the entire screen. The system says you have to wait to buy it. Now, listen to me.

[00:00:26]By the time you are watching this video on YouTube, the timer might be zero. I might have already patched the vulnerability I'm about to show you, but I am recording this right now because I want to show you the exact process a professional hacker uses before they even launch an attack.

[00:00:44]A normal person looks at this locked screen and says, "Okay, I guess I will come back in 3 days."

[00:00:51]But a hacker, a hacker looks at this and smiles. I'm going to show you exactly how we bypass this step by step assuming you know absolutely nothing. Let's go.

[00:01:01]Step one, when a beginner sees a locked page, they give up. A hacker presses control U. We look at the raw source code of the website.

[00:01:10]We are looking for hidden links. We are looking for developer notes. We are looking for anything stupid they left behind. I look through the code here.

[00:01:18]It's just a massive block of Tailwind CSS and layout code. There are no secret passwords written in plain text here. It is clean.

[00:01:26]So, we move deeper.

[00:01:29]Step two, we open developer tools by pressing control plus shift plus I. You have to understand the illusion of security. When a beginner like me who are developer wants to hide a website, they use JavaScript and CSS to draw a massive black box over the screen.

[00:01:45]But we control the browser.

[00:01:48]I promise I didn't do this on purpose just to show you. I only wanted to add a countdown timer on my website before people make a payment. And while researching it, I came across this and tried it myself.

[00:02:01]Okay, now I find the exact piece of code drawing that lock screen. It's an element called launch overlay. I select it, I press delete.

[00:02:10]Oh my god, this live and I didn't try it before. I didn't accept it will work like this, but boom, the lock disappears. We just bypass the UI and we can see the real website hiding behind it.

[00:02:22]Before we go any further, look at me.

[00:02:24]I'm doing this on my personal website. I own this server. I wrote this code.

[00:02:30]Doing this reconnaissance on a target you do not own without permission is illegal. This is for educational purposes so you understand how attackers think. Got it? Stay out of jail. Okay, let's keep going.

[00:02:43]We bypass the timer, but we still have a problem. If I click buy now, it wants me to pay $29.99.

[00:02:49]I want it for free. Or if the developer myself puts comment on the website and deletes it.

[00:02:55]Normally, this is the part of the hack where I would fire up a directory brute forcer like Dirb or GoBuster. I would aggressively scan the server for hidden folders like /admin or check the robots.txt file to see what the server is hiding.

[00:03:11]But today, I'm not going to touch the server at all. I'm going to use a completely different attack vector.

[00:03:18]I want to show you the time machine.

[00:03:20]Mira, almost every modern website on the internet is built using version control, usually Git and GitHub. When a developer builds a website, they don't just upload it once.

[00:03:32]They make hundreds of tiny updates. They change a color, they hit commit, they add a button, they hit commit.

[00:03:39]GitHub tracks every single keystroke. It remembers every single version of the website that has ever existed. Now, listen to me closely. Developers are human and humans make stupid careless mistakes.

[00:03:52]Imagine I was building this website yesterday at 3:00 a.m. I was testing the checkout system, so I created a secret 50% off tester coupon code. I hid the code in an HTML comment, so I wouldn't forget it.

[00:04:05]The next morning, I wake up, realize I left a live coupon code in the code, and I delete it. I save the file. I upload the new clean version to the internet. I think I am perfectly safe because the code is gone from the live website.

[00:04:20]Cabrones, nothing is ever truly deleted on the internet.

[00:04:24]Let's do some reconnaissance.

[00:04:26]I find the public GitHub repository hosting this website. I mean, I know this website GitHub repository because it is mine.

[00:04:34]And you can tell if the website is in GitHub or not by seeing my URL. My website is low-budget website.

[00:04:41]I don't look at the live code. I look at the history. I click on the commits tab.

[00:04:46]This is the forensic trail. Look at this commit right here. The developer named it, "Removed testing artifacts."

[00:04:53]As a hacker, my brain instantly triggers. What exactly did you remove?

[00:04:57]Let's find out.

[00:04:59]I click on the commit, and GitHub shows me the exact difference between yesterday's code and today's code.

[00:05:06]Look at the screen right now. Madre mia.

[00:05:08]There it is, glowing in red.

[00:05:11]The developer deleted it from the live website, but GitHub archived the mistake forever.

[00:05:17]We just used a time machine to look over the developer's shoulder from yesterday.

[00:05:21]It says, "To do, [music] remove VIP coupon tester before launch."

[00:05:25]I take that ghost code. I go back to the live website. I bypass the countdown timer. I go to the checkout, and I paste the code.

[00:05:33]Boom, the price drops to 50%.

[00:05:36]We didn't run a complex SQL injection.

[00:05:38]We didn't crack a password. We robbed the bank simply by reading the architect's trash.

[00:05:44]This is what real modern web hacking looks like. It is about understanding the developers workflow. It's about hunting logic flaws, exposed metadata, and version control mistakes. Listen to me. Automated scanners will never ever find a vulnerability like this.

[00:06:01]A scanner doesn't know how to read GitHub history like a human.

[00:06:05]If you want to stop playing around and actually learn how to hunt logic flaws, authentication bypasses, and manual exploitation workflows, my new masterclass is finally live.

[00:06:17]13 months of work, 115 pages of pure weaponized methodology. I put the link in the description. And mira, I actually left that exact coupon code active for the first 20 people who use it. If you are fast enough, you get it for 50%. If you miss it, you pay like everyone else.

[00:06:37]If you get the PDF, you get direct access to my email. You get a mentor.

[00:06:42]Read the guide, build your foundation, and join the brotherhood.

[00:06:46]Thank you for watching, hermanos. Stay curious.

[00:06:49]Una vida, un tiro, haz que cuente.