Exposed Credentials Challenge

Beginner 100 Points Exposed Credentials

Challenge Description

Developers often accidentally leave credentials, API keys, and other sensitive information in places where they shouldn't be. Your mission is to find the hidden credentials in this application's source code, HTML comments, configuration files, and git history.

Objective: Find the hidden flag by examining exposed credentials. The flag format is FLAG{...}

Simulated Application

Examine the sources below. Real-world attackers check these locations for leaked secrets.

View Page Source (Ctrl+U in browser)

<!DOCTYPE html>
<html>
<head>
    <title>Company Portal</title>
    <!--
        TODO: Remove before production!
        Dev credentials: dev_user / dev_pass_123
        Staging API key: stg_api_key_abc123
    -->
    <script>
        // Configuration - DO NOT COMMIT TO REPO
        var config = {
            apiUrl: 'https://api.company.com',
            // Temporary admin bypass for testing
            adminToken: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4iLCJmbGFnIjoiRkxBR3tDUjNEM05UMTRMU18zWFAwUzNEfSJ9',
            debugMode: true
        };

        /*
         * Legacy auth function - keeping for reference
         * function legacyLogin() {
         *     return fetch('/api/login', {
         *         body: JSON.stringify({user: 'backup_admin', pass: 'backup_789!'})
         *     });
         * }
         */
    </script>
</head>
<body>
    <div id='app'>
        <!-- Debug panel (hidden in production) -->
        <div style='display:none' id='debug-panel' data-api-key='prod_api_key_xyz789'>
            <p>DB Host: db.internal.company.com</p>
            <p>DB User: app_user</p>
            <!-- DB Pass: Th1s1sN0tS3cur3! -->
        </div>
    </div>

    <!-- Google Analytics -->
    <script>
        // gtag('config', 'GA-XXXXXX');
    </script>

    <!-- Build info: compiled by jenkins with creds admin:jenkins_build_pass -->
</body>
</html>

Tip: Look for HTML comments, JavaScript variables, and hidden elements.

appsettings.json (Exposed via misconfiguration)

{
    "AppSettings": {
        "Environment": "Production",
        "DebugMode": false,
        "LogLevel": "Warning"
    },
    "ConnectionStrings": {
        "DefaultConnection": "Server=prod-db.internal;Database=AppDB;User=app_service;Password=Pr0d_Ap9_P@ss!;Encrypt=true",
        "ReadOnlyConnection": "Server=prod-db-ro.internal;Database=AppDB;User=readonly_user;Password=R34d0nly_P@ss!"
    },
    "Authentication": {
        "JwtSecret": "super_secret_jwt_key_do_not_share_FLAG{CR3D3NT14LS_3XP0S3D}",
        "TokenExpiration": 3600,
        "AdminBypassToken": "ADMIN_BYPASS_TOKEN_123"
    },
    "ExternalServices": {
        "PaymentGateway": {
            "ApiKey": "pk_live_payment_gateway_key",
            "SecretKey": "sk_live_payment_secret_DONOT_COMMIT",
            "WebhookSecret": "whsec_webhook_verification_key"
        },
        "EmailService": {
            "ApiKey": "SG.email_service_api_key_here",
            "FromAddress": "noreply@company.com"
        },
        "CloudStorage": {
            "AccessKey": "AKIAIOSFODNN7EXAMPLE",
            "SecretKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
            "Bucket": "company-prod-storage"
        }
    },
    "_comment": "Last updated by admin, password: ConfigUpdate2024!"
}

Tip: Configuration files often contain database credentials and API keys.

Git Commit History (/.git/ exposed)

a1b2c3d 2025-12-29

Initial commit

by dev@company.com

Changed: README.md, src/app.js

e4f5g6h 2026-01-03

Add database configuration

by dev@company.com

Changed: config/database.yml

View Diff

+ database:
+   host: localhost
+   user: root
+   password: root_password_123
+   name: development_db

i7j8k9l 2026-01-08

Add production credentials (REMOVE BEFORE MERGE)

by admin@company.com

Changed: config/production.env

View Diff

+ DB_PASSWORD=Pr0duct10n_DB_P@ssw0rd!
+ API_SECRET=FLAG{CR3D3NT14LS_3XP0S3D}
+ ADMIN_TOKEN=admin_production_token_xyz

m0n1o2p 2026-01-09

Remove credentials from config

by admin@company.com

Changed: config/production.env

View Diff

- DB_PASSWORD=Pr0duct10n_DB_P@ssw0rd!
- API_SECRET=FLAG{CR3D3NT14LS_3XP0S3D}
- ADMIN_TOKEN=admin_production_token_xyz
+ DB_PASSWORD=${DB_PASSWORD}
+ API_SECRET=${API_SECRET}
+ ADMIN_TOKEN=${ADMIN_TOKEN}

q3r4s5t 2026-01-18

Update dependencies

by dev@company.com

Changed: package.json

Tip: Secrets "removed" from code are still in git history!

robots.txt (Directory enumeration)

User-agent: *
Disallow: /admin/
Disallow: /api/internal/
Disallow: /debug/
Disallow: /backup/
Disallow: /.git/
Disallow: /config/
Disallow: /logs/
Disallow: /phpMyAdmin/
Disallow: /.env
Disallow: /wp-admin/

# Note: Admin panel at /secret-admin-panel-2024/
# Backup server: backup.internal.company.com

Tip: robots.txt reveals paths the site doesn't want indexed - often sensitive directories!

JWT Decoder Tool

Found a JWT token? Decode it here:

Submit Flag

Hints -10% per hint

Hints revealed: 0 / 5
Score penalty: 0%

Learning Resources