TeleLeak — MetaCTF

Summary

The application exposed Spring Boot actuator endpoints to unauthenticated users. The heap dump contained the admin credential material, and because the login form submitted a SHA-256 digest directly, the leaked hash was enough to sign in and read the flag from the admin dashboard.

Description

Goal: gain access to an existing account and recover the flag.

Target used: https://teleleak.umbccd.net.

Recon

• The site used a Java / Spring Boot stack, visible from JSESSIONID, CSRF handling, and the login flow.
• /login hashed the password client-side with SHA-256 and sent the hex digest in the password field.
• /register existed, but submitting there redirected to /regLimit.html with the hint: Maybe you can find a way to get into an existing account ;)
• /actuator was publicly accessible and exposed /actuator/heapdump.

Those signs strongly suggested a memory disclosure path instead of normal registration or password guessing.

Analysis

The key issue was the public heap dump. A Spring Boot heap dump can contain live objects, request state, secrets, session data, and cached credentials. In this case, the dump leaked reusable admin login material.

The login implementation made the exposure worse: the browser did not send the plaintext password. It sent a SHA-256 hex digest as the actual password value. That means the server accepted the digest itself as the login secret, so a leaked hash could be replayed directly.

Recovered credential material:

• Username: admin
• Password field value: f374e70b2d71eb7188c0eda0b6a13d47ca5abd681118de48354f003d8af534f5

Exploitation

...