picoCTF Solutions
PathPart of the Web Exploitation path ยท Step 3 of 5: Enumeration and Hidden Endpoints
picoCTF 2025Web ExploitationEasy

head-dump picoCTF 2025 Solution

Published: April 2, 2025

Description

The picoCTF News blog exposes an API reference that includes a /heapdump endpoint. Download the Java heap dump and search it for picoCTF.

Read the technique guide

Setup

Open picoCTF News

Browse to the API Documentation article. The Spring Boot Actuator catalog (/actuator or the docs page itself) lists a /heapdump endpoint.

Use the built-in "Try it out" or run curl manually to download the heap dump file (it will be tens of MB).

Confirm the format with file heapdump and head -c 32 heapdump | xxd. You should see the HPROF magic header JAVA PROFILE 1.0.2.

bash
curl -s http://verbal-sleep.picoctf.net:63972/actuator | jq
bash
curl http://verbal-sleep.picoctf.net:63972/heapdump -o heapdump
bash
file heapdump
bash
grep -a picoCTF heapdump

Solution

Walk me through it
Misconfigured Spring Boot Actuator is one of the all-time greatest hits in real bug bounty work; the Web Challenges and Real-World Bug Patterns guide catalogs the same pattern alongside other server-side info-leak primitives. The Burp Suite for picoCTF guide explains the HTTP history filter and Repeater workflow that turn a Spring header leak into a one-minute solve.
  1. Step 1Hit the hidden endpoint
    The API documentation lists Spring Boot Actuator routes. /heapdump returns a binary JVM snapshot - hundreds of megabytes of every live object, including any String fields the app holds.
    bash
    curl http://verbal-sleep.picoctf.net:63972/heapdump -o heapdump
    bash
    file heapdump
# Expected: 'heapdump: Java HPROF profile data, JAVA PROFILE 1.0.2'

xxd heapdump | head -1
# Expected first 12 bytes: 4a 41 56 41 20 50 52 4f 46 49 4c 45  ('JAVA PROFILE')
    Learn more

    Spring Boot Actuator is a production monitoring module that exposes management endpoints over HTTP. When misconfigured, it can leak sensitive runtime information. The /heapdump endpoint triggers a full JVM heap snapshot and streams it as a binary HPROF file, often hundreds of megabytes containing every live object in memory. The application stores the flag in a String variable, and Java String objects live on the heap until the garbage collector reclaims them, so anything held in memory at dump time ends up in the file.

    Actuator endpoints were publicly exposed by default before Spring Boot 2.0. Even after the default was changed, misconfigurations remain extremely common: thousands of production services still expose /env, /beans, /heapdump, and /trace without any authentication. The Spring Boot guidance is unambiguous: /heapdump should never be reachable from the public internet. CVE-2017-8046 (a Spring Data REST PATCH RCE) is a related but separate Spring data leak class worth knowing as background.

    Proper hardening involves moving actuator endpoints to a different port with firewall rules, enabling Spring Security authentication on the management interface, and selectively exposing only the endpoints needed (e.g., just /health for load balancer checks). The management.endpoints.web.exposure.include property controls which endpoints are available.

  2. Step 2Search the dump
    grep -a forces text mode so the regex actually matches. Without -a, grep auto-detects the file as binary and exits with no output, which looks like an empty result.
    bash
    grep -a picoCTF heapdump
    bash
    grep -aB5 -A5 'picoCTF{' heapdump
    bash
    # Equivalent with strings:
    bash
    strings heapdump | grep picoCTF
    Learn more

    Heap dumps contain the raw bytes of every object alive in the JVM at the moment the dump was triggered. This includes strings, byte arrays, configuration objects, database credentials, session tokens, API keys, and any other in-memory data - all in plaintext. The -a flag in grep tells it to treat the binary file as text so regular pattern matching still works.

    The strings command is an equally effective alternative: it scans any binary for sequences of printable ASCII characters above a minimum length. Both tools are standard in forensic investigation and incident response for extracting readable artifacts from memory images, core dumps, and crash files. Tools like Eclipse Memory Analyzer (MAT) and VisualVM provide GUI-based heap analysis with object graphs, reference chains, and leak suspects.

    From a security standpoint, the key lesson is that anything stored in memory - even temporarily - can be recovered from a heap dump. This is why sensitive values like private keys and passwords should be stored in char[] (which can be zeroed) rather than String (which is immutable and persists until GC collection) in Java applications.

Flag

picoCTF{Pat!3nt_15_Th3_K3y_ad7e...}

Truncated for site policy; the actual flag continues past the redaction. No authentication or decoding needed - just download and search the dump.

How to prevent this

  • Set management.endpoints.web.exposure.include=health,info and never expose /heapdump, /env, /beans, or /trace on a public interface.
  • Move actuator to a separate management port (management.server.port) and firewall it to internal IPs only. Load balancers can still reach /health; the public internet cannot.
  • Require authentication on whatever does stay exposed (Spring Security on the management context), and treat heap dumps as a credential-equivalent artifact in incident response runbooks.

Want more picoCTF 2025 writeups?

Browse picoCTF 2025Full library

Useful tools for Web Exploitation

Related reading

Do these first

What to try next