Skip to main content

Debug_Disaster

Challenge

Imported from local notes.md.

Solution

Original Notes

Debug_Disaster

Challenge Summary

  • Given: a live Flask web service at http://23.179.17.92:5002 with no downloadable files.
  • Goal: recover the flag from the production application.
  • Constraints: do not submit the flag; store it locally once recovered.

Initial Recon / Triage

  • Observations: the root page was a minimal Flask page and the response headers exposed Werkzeug/3.1.8 Python/3.11.15, which strongly suggested a debug-enabled Flask deployment.
  • File identification: there were no attached files, so the target had to be solved via black-box HTTP enumeration.
  • Entry points: /, the exposed Werkzeug debugger surface, and any hidden routes revealed through enumeration.

Hypotheses & Approach

  • Hypothesis 1: if debug mode was left enabled, an unhandled exception route could expose source code or a traceback containing sensitive application details.
  • Hypothesis 2: the “forgot to remove something from the application structure” hint suggested a leftover developer or debug route reachable by directory brute forcing.

Execution Steps (Reproducible)

Stage 1

Commands:

curl -i -s http://23.179.17.92:5002/
ffuf -u http://23.179.17.92:5002/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -mc all -fs 207 -t 40 -s
curl -i -s http://23.179.17.92:5002/admin | head -n 120

Results:

  • The root page returned Werkzeug/3.1.8 Python/3.11.15.
  • Directory brute forcing found /admin.
  • Visiting /admin triggered a full Werkzeug debugger traceback instead of a generic 500 page.

Stage 2

Commands:

curl -s http://23.179.17.92:5002/admin | rg -n "/app/app.py|@app.route|open\(\".env\"\)"
curl -s http://23.179.17.92:5002/flg_bar
python3 artifacts/exploit.py

Results:

  • The traceback exposed application source for /app/app.py.
  • The leaked source showed a hidden route:
@app.route("/flg_bar")
def env():
	return open(".env").read(), 200, {"Content-Type": "text/plain"}
  • Requesting /flg_bar returned the .env file, including the flag.

Artifacts Produced

  • artifacts/fetch_files.py: helper used to pull the official challenge metadata into the workspace.
  • artifacts/exploit.py: minimal reproducible script that hits /admin and /flg_bar.
  • artifacts/admin_trace.html: saved Werkzeug traceback page from /admin.
  • artifacts/flg_bar.env: leaked .env content returned by the hidden route.

Flag

CIT{H1dd3n_D1r5_3v3rywh3r3}