This post is a writeup of 'slightly-broken' challenge from <a target="_blank" href="https://warmup1.cyberedu.ro/">Cyberedu Warm-up CTF #1</a>. Once you access the challenge web site, you will see a page with a link which will lead to a <a target="_blank" href="https://werkzeug.palletsprojects.com/en/1.0.x/">Werkzeug</a> debugger page.
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1601602975529/lrc0Ru-Zi.png" alt="Screen Shot 2020-10-01 at 1.21.08 PM.png" />
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1601602992512/pDBzAZfiq.png" alt="Screen Shot 2020-10-01 at 1.22.32 PM.png" />
Remote Code Execution, or RCE, via this debugger page is widely known security issue [1][2] and you can access interactive console UI via /console. (Side note: I was about to try Flask Jinja SSTI if this did not work) 
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1601605130145/aAtgcsuzN.png" alt="Screen Shot 2020-10-01 at 1.23.12 PM.png" />
All you need to do is read the <code>flag.txt</code> file from the current directory.
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1601605151757/l_BaV4urW.png" alt="Screen Shot 2020-10-01 at 1.30.40 PM.png" />
[1] <a href="https://www.exploit-db.com/exploits/43905" class="autolinkedURL autolinkedURL-url" target="_blank">exploit-db.com/exploits/43905</a> 
[2] <a href="https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/" class="autolinkedURL autolinkedURL-url" target="_blank">labs.detectify.com/2015/10/02/how-patreon-g..</a>

This post is a writeup of **'slightly-broken'** challenge from [Cyberedu Warm-up CTF #1](https://warmup1.cyberedu.ro/). Once you access the challenge web site, you will see a page with a link which will lead to a [Werkzeug](https://werkzeug.palletsprojects.com/en/1.0.x/) debugger page.

![Screen Shot 2020-10-01 at 1.21.08 PM.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1601602975529/lrc0Ru-Zi.png)

![Screen Shot 2020-10-01 at 1.22.32 PM.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1601602992512/pDBzAZfiq.png)

Remote Code Execution, or RCE, via this debugger page is widely known security issue [1][2] and you can access interactive console UI via /console. (Side note: I was about to try Flask Jinja SSTI if this did not work) 

![Screen Shot 2020-10-01 at 1.23.12 PM.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1601605130145/aAtgcsuzN.png)


All you need to do is read the `flag.txt` file from the current directory.

![Screen Shot 2020-10-01 at 1.30.40 PM.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1601605151757/l_BaV4urW.png)


[1] https://www.exploit-db.com/exploits/43905 
[2] https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/

Untitled

Untitled

Python Werkzeug Debugger Fun