Welcome to the challenge! In this challenge, you will explore a web application and find an endpoint that exposes a file containing a hidden flag. The application is a simple blog website where you can read articles about various topics, including an article about API Documentation. Your goal is to explore the application and find the endpoint that generates files holding the serverโs memory, where a secret flag is hidden.
๐ฏ Challenge Files & Infrastructure
Provided Files
1
Files:None
๐ Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
Inspecting the page source, I didn’t find anything interesting, so since the description mentions API, I decided to run gobuster and do some Fuzzing on the api endpoints:
Gobuster
finding /api-docs. By visiting the route:
Swagger
I was taken to the web interface of swagger, which is used for testing api. Let’s move on to the exploitation phase.
๐ฏ Solution Path
Exploitation Steps
Initial setup
The only suspicious api from the previous screenshot was /heapdump:
Heapdump
so I decided to execute it.
Exploitation
Clicking on the Try it out button and then on Execute:
Executed
As we can see, the body contains a file. After downloading it and opening it with sublimetext, I performed a search (CTRL+F) for picoCTF{, thus finding the flag. The other option was to directly use curl as suggested by the api itself and search for picoCTF{ with tmux:
Curl
Flag capture
Manual Flag
๐ ๏ธ Exploitation Process
Approach
The automatic exploit makes a GET request to the page and extracts the flag using a regex.
