Challenge 61 ☆☆

Welcome to challenge Challenge 61.

Telegram Channel Secrets

Many mobile applications and services use Telegram bots for notifications, monitoring, or user interaction. Developers often hardcode Telegram bot credentials directly in their application source code, making these secrets easily discoverable by anyone who has access to the codebase.

In this challenge, a developer has embedded Telegram bot credentials in the application code to communicate with a control channel. The actual secret answer is posted in the Telegram channel that can be accessed using these credentials.

Can you find the hardcoded Telegram bot token and use it to discover the secret in the associated channel?

💡 Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

You can solve this challenge by the following alternative solutions:

  1. Find the bot token in the source code

    • Look at the Challenge61 class in the source code

    • Find the encoded bot token in the getBotToken() method

    • Decode the Base64-encoded string (it’s double-encoded)

    • The token format is: BOTID:TOKEN_STRING

  2. Use the bot token to access the Telegram channel

    • The bot token can be used with the Telegram Bot API

    • Visit https://t.me/WrongsecretsBot to see the channel

    • Look for messages in the channel that contain the secret

    • For this challenge, the secret is: telegram_secret_found_in_channel

  3. Analyze the code structure

    • The challenge follows the same pattern as other social media challenges

    • Check how the getTelegramSecret() method works

    • Look for hardcoded return values that represent the expected answer

What’s wrong?

Hardcoding Telegram bot credentials in source code is a serious security vulnerability:

Security Issues: 1. Exposed API Credentials: Bot tokens provide full access to the Telegram bot functionality 2. Channel Compromise: Anyone with the token can read messages, send messages, and potentially access private information 3. Source Code Exposure: Credentials are visible to anyone with access to the codebase 4. Version Control History: Tokens remain in git history even if later removed

Real-world Impact: - Attackers can use bot tokens to send spam or malicious messages - Sensitive information shared in channels becomes accessible to unauthorized users - Bot functionality can be hijacked for malicious purposes - Compliance violations if the bot handles personal or sensitive data

How to fix: 1. Environment Variables: Store bot tokens in environment variables or secure configuration files 2. Secret Management: Use dedicated secret management services (HashiCorp Vault, AWS Secrets Manager, etc.) 3. Token Rotation: Regularly rotate bot tokens and revoke old ones 4. Access Controls: Implement proper access controls for who can access bot credentials 5. Code Reviews: Always review code for hardcoded secrets before committing

Detection: - Use secret scanning tools in your CI/CD pipeline - Implement pre-commit hooks to catch hardcoded credentials - Regular security audits of codebase - Monitor for unexpected bot activity


⬅️ Previous
🏠 Main Page
Next ➡️
0