webfreeeasy

Bricktator

umasscybersec

Task: valid user credentials exposed a Spring Boot panel with authenticated actuator access. Solution: confirm locally that /actuator/heapdump keeps flag-like secrets in memory, then download the remote heap dump once and extract the real UMASS flag from strings output.

$ ls tags/ techniques/
credentialsspring_bootheapdumpspring_actuatorjava_heap
actuator_reconheapdump_secrets_extraction

Bricktator — UMass Cybersecurity CTF

Description

Organizer description was not preserved in the local task files.

English summary: we were given source code plus bricktator/goldeagle credentials. After login, the application exposed Spring Boot actuator endpoints, and the key issue was that /actuator/heapdump was readable and leaked secrets directly from process memory.

Analysis

The login from dossier.txt gave access to the application as bricktator. That account had the ROLE_YANKEE_WHITE permissions needed to browse actuator functionality, so the attack surface expanded immediately after authentication.

Local testing showed that /actuator/heapdump was exposed and that running strings on the dump revealed sensitive constants, including the placeholder flag stored in memory. That confirmed the remote target likely kept the real flag in the same place.

Solution

  1. Read the dossier and log in with bricktator/goldeagle.
  2. Use the granted role to access actuator endpoints.
  3. Verify locally that /actuator/heapdump contains the placeholder flag in heap strings.
  4. On the remote target, download /actuator/heapdump once.
  5. Run strings on the dump and search for UMASS{ to recover the flag.
#!/usr/bin/env python3
import re
import subprocess
from pathlib import Path

import requests

...
🔒

Permission denied (requires auth)

Sign in to read this free writeup

This writeup is free — just sign in with GitHub to read it.

$ssh [email protected]