picoCTF Solutions
PathPart of the Web Exploitation path · Step 3 of 5: Enumeration and Hidden Endpoints
picoCTF 2025Web ExploitationEasy

head-dump

Published: April 2, 2025

Description

The picoCTF News blog exposes an API reference that includes a /heapdump endpoint. Download the Java heap dump and search it for picoCTF.

Setup

Open picoCTF News

Navigate to the API Documentation article and scroll to the entry describing /heapdump.

Use the built-in "Try it out" or run curl manually to download the heap dump file.

curl http://verbal-sleep.picoctf.net:63972/heapdump -o heapdump
grep -a picoCTF heapdump

Solution

  1. Step 1Hit the hidden endpoint
    The open actuator endpoint dumps the JVM heap (`/heapdump`). Requesting it returns megabytes of binary data.
    Learn more

    Spring Boot Actuator is a production monitoring module that exposes management endpoints over HTTP. When misconfigured, it can leak sensitive runtime information. The /heapdump endpoint triggers a full JVM heap snapshot and streams it as a binary HPROF file - often hundreds of megabytes containing every live object in memory.

    Actuator endpoints were publicly exposed by default before Spring Boot 2.0. Even after the default was changed to require authentication, misconfigurations remain extremely common. The 2021 Actuator Security Advisory noted that thousands of production services still expose /env, /beans, /heapdump, and /trace without any authentication. Bug bounty programs regularly reward findings of open actuator endpoints at major companies.

    Proper hardening involves moving actuator endpoints to a different port with firewall rules, enabling Spring Security authentication on the management interface, and selectively exposing only the endpoints needed (e.g., just /health for load balancer checks). The management.endpoints.web.exposure.include property controls which endpoints are available.

  2. Step 2Search the dump
    Use `grep -a picoCTF heapdump` (or strings) to carve the flag string out of the heap. It appears near a JSON blob describing patient records.
    Learn more

    Heap dumps contain the raw bytes of every object alive in the JVM at the moment the dump was triggered. This includes strings, byte arrays, configuration objects, database credentials, session tokens, API keys, and any other in-memory data - all in plaintext. The -a flag in grep tells it to treat the binary file as text so regular pattern matching still works.

    The strings command is an equally effective alternative: it scans any binary for sequences of printable ASCII characters above a minimum length. Both tools are standard in forensic investigation and incident response for extracting readable artifacts from memory images, core dumps, and crash files. Tools like Eclipse Memory Analyzer (MAT) and VisualVM provide GUI-based heap analysis with object graphs, reference chains, and leak suspects.

    From a security standpoint, the key lesson is that anything stored in memory - even temporarily - can be recovered from a heap dump. This is why sensitive values like private keys and passwords should be stored in char[] (which can be zeroed) rather than String (which is immutable and persists until GC collection) in Java applications.

Flag

picoCTF{Pat!3nt_15_Th3_K3y_ad7e...}

No authentication or decoding needed; just download and search the dump.

Want more picoCTF 2025 writeups?

Browse picoCTF 2025Full library

Useful tools for Web Exploitation

Related reading

Do these first

What to try next