Solution: Exposed /.git in Production

Tools Used:
When you open the target site and attempt to browse to /.git/, you can't immediately tell if the directory is exposed. However if you browse to /.git/HEAD you'll see it is in fact exposed, it's just that directory listings are not enabled.

The easiest way to solve this is to just use a tool to do the hard work for us - enter DVCS Pillage.

Download DVCS Pillage, and then run: ./gitpillage.sh https php1.hackthe.company/challenge3/b/

Boom, scope the source code downloaded into the local folder and retrieve the flag.