picoCTF Solutions
PathPart of the Reverse Engineering path · Step 4 of 5: Crackmes and Password Bypass
picoCTF 2022Reverse EngineeringMedium

Safe Opener

Published: July 20, 2023

Description

The SafeOpener Java program stores an encoded password. Decode it, then wrap the plaintext inside picoCTF{...} to submit.

Setup

Download SafeOpener.java

Open the Java source-`openSafe()` defines the Base64-encoded password (`encodedkey`).

Extract the string, decode it, and either run the program with that password or directly wrap it with picoCTF{...}.

cat SafeOpener.java | grep encodedkey | sed -n '5p' | cut -d '"' -f2 | base64 -d
java SafeOpener.java # optional sanity check

Solution

  1. Step 1Read the source
    The main method simply compares the user input (Base64-encoded) against the constant stored in `encodedkey`. No reversing needed; just decode.
    Learn more

    Source code auditing is the process of reading program source to find security vulnerabilities, hidden logic, or hardcoded secrets. When source is available (as in this challenge), it's far faster than reverse engineering a compiled binary - you can search for keywords like password, key, secret, or encode directly.

    Java source files are particularly readable and widely used in enterprise applications. The openSafe() method pattern - comparing user input against a stored encoded value - mirrors real authentication code that novice developers sometimes write, storing a known-good answer and checking against it rather than using a proper authentication framework.

    The critical insight is that Base64 encoding is not encryption. Storing Base64.encode(password) in source code is functionally identical to storing the plaintext password - anyone who reads the code can reverse it in seconds. Passwords should be stored as salted hashes(bcrypt, Argon2) so that even database breaches don't expose them.

  2. Step 2Format the flag
    Take the decoded password, prepend `picoCTF{...}` to produce the final submission.
    Learn more

    In Java, java.util.Base64 (Java 8+) provides the standard Base64 encoder/decoder. Earlier code used sun.misc.BASE64Decoder, which was internal and non-standard. On the command line, base64 -d(Linux/Mac) or CyberChef's "From Base64" operation decodes the string instantly.

    The pipeline approach used in the setup command (cat | grep | sed | cut | base64 -d) demonstrates Unix philosophy: small tools chained together to accomplish a task. Each tool does one thing - grep finds lines with the keyword, cut extracts the field between quotes, base64 -d decodes the result.

    When auditing Java applications professionally, tools like jadx (decompiler), Checkmarx, and SonarQube automate source scanning for hardcoded secrets and insecure patterns across entire codebases.

Flag

picoCTF{pl3as3_l3t_m3_1nt0_th...}

Challenge reinforces that storing secrets in client-side code (even encoded) offers no real protection.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Reverse Engineering

Related reading

What to try next