vault-door-training

Description

Solution

1. Step 1Read the checkPassword method
   Open VaultDoorTraining.java and locate the checkPassword() method. The password is hardcoded as a plain string literal -- no encryption, no obfuscation. Reading that string directly gives you the flag contents.
   Learn more

   Hardcoded credentials -- passwords, API keys, tokens, or secrets embedded directly in source code -- are one of the most pervasive and dangerous security vulnerabilities in software. When source code is shared, leaked, decompiled from a binary, or checked into version control, every hardcoded secret in it is immediately exposed to anyone who reads it.

   This is so common that major secret scanning tools exist specifically to detect it:

   • GitHub Secret Scanning -- automatically scans public repos for API keys and tokens
   • truffleHog -- scans git history for high-entropy strings and known secret patterns
   • gitleaks -- fast secret scanner for git repos and CI pipelines
   • detect-secrets -- Yelp's tool for preventing secrets from entering codebases

   The correct pattern is to store secrets in environment variables or a secrets manager (like AWS Secrets Manager, HashiCorp Vault, or Doppler) and read them at runtime. The source code then contains no secrets, so reading it reveals nothing. This is CWE-798 (Use of Hard-coded Credentials) in the Common Weakness Enumeration and is included in every major security standard including OWASP and NIST.

   In the context of this challenge series, the Vault Door challenges progressively introduce more sophisticated obfuscation techniques -- but all of them share the same fundamental flaw: the password validation logic is visible in source code. No amount of obfuscation in application logic can substitute for proper cryptographic authentication design.

Flag

picoCTF{...}

Hardcoded credentials in source code are one of the most common and easily exploited vulnerabilities -- always check for string literals in authentication logic.