DeconstruCT.F 2023 - debugzero
Description
Category: Web
Someone on the dev team fat fingered their keyboard, and deployed the wrong app to production. Try and find what went wrong. The flag is in a file called “flag.txt”
Hint
Are there any python servers that can store water ; )
Resolution
Let’s gather some information:
- According to the hint, we know that the web app uses a Python framework.
- In the index source file, we can find an interesting comment:
1 2 3
... <!-- John, please don't run the app in debug mode, how many times do I have to tell you this! --> ...
So we know the web app runs in debug mode (also given in the name of the challenge) and it uses a Python framework which should be flask.
So we accessed to the Flask debug interface by going to /console, but the console is protected by a PIN code:
We made some research to find a way to bypass the PIN and found some article about it:
We tried to do the exploit but we could not find an endpoint for file traversal which is needed to leak information in order to recover the PIN.
We decided to take a close look to all the available source files and we found something very ineresting in the style.css file:
1
/* Nothing interesting here except this number - 934123 */
We used the number found in style.css to access the console and this it worked:
Once we have access to the console, we can read the content of flag.txt:
And we get the flag: dsc{n3veR_u53_d3BuG_m0d3}.