picoCTF: head-dump — Writeup
Published on June 4, 2025
Challenge: picoCTF: head-dump
Difficulty: Easy
This challenge involved a web app with an embedded flag hidden in a server memory dump. The description made a direct reference to "API Documentation," which wasn’t just fluff — it was a roadmap.
Initial Analysis
I opened the site and skipped the guesswork. Used browser dev tools and searched the source for patterns like /api
, /docs
, or anything that hinted at internal routing.
My Theory
They called out API documentation in the challenge. That means they *wanted* me to find the docs. If it's a modern web app, there's probably a Swagger-style endpoint revealing all routes — including a potential heap/memory dump endpoint.
Discovery Process
Searched the source with Ctrl+F
. Hit on a goldmine:
/api-docs/#/
That link took me to a full API documentation interface. In it, I found:
GET /heapdump
No need to guess. This route was literally handed to me. I hit it directly:
bashcurl http://<target>/heapdump
Got a raw memory dump file. Saved it and extracted readable text:
bashstrings heapdump > parsed.txt
grep picoCTF parsed.txt
Found the flag hidden in the dump.
Flag: picoCTF{...}
Key Takeaway
The API doc mention was the entire playbook. Don’t ignore those “details” in challenge descriptions — they’re often the answer key. Go to the source, look at what the devs left behind, and always assume structure over randomness. Systematic > blind guessing.