# [EN] Blank Site 2 ###### tags: `Writeup` `Web` `English` > [name=Curious] ## Train of Thought & Solution Continuing from the previous question's [Writeup](https://hackmd.io/@LoTuX-CTF/Blank_Site_1_EN), after downloading `app.py`, you can find the following piece of code: ```python= @app.get('/1d538e83d6f6b08f') def secret(): try: with open('/proc/sys/kernel/random/boot_id') as f: hint = f.readline().strip() except: hint = "" return {"FLAG1": "LoTuX{???}", "Hint": hint} ``` This means that we can obtain the value of `/proc/sys/kernel/random/boot_id` by accessing `/1d538e83d6f6b08f`. Analyzing other parts of the code, it's evident that `app.py` has debug mode enabled. Therefore, we can try to see if we can exploit the debug mode to achieve actions like RCE ## Solution First, you can refer to [this blog post](https://curious-lucifer.github.io/post/note-flask_debug_mode/) to understand that you can calculate the PIN or cookie name/value using the following information: the username, server's MAC address, `/etc/machine-id` or `/proc/sys/kernel/random/boot_id`, and `open("/proc/self/cgroup", "rb").readline().strip().rpartition(b"/")[2]`. First, the username can be found by downloading `../../../../etc/passwd`, which reveals that the username is `blanksiteuser`. Since CTFd environments are typically hosted in Docker, you can take advantage of Docker Container characteristics to determine that `/etc/machine-id` and `open("/proc/self/cgroup", "rb").readline().strip().rpartition(b"/")[2]` are empty. The MAC address will typically start at `02:42:ac:11:00:02` and increment from the last byte. So, armed with this information, you can perform a brute-force attack on the MAC address to calculate the cookie name/value pair. Then, you can test if it's correct. If it's correct, you can proceed with a Python to RCE {%hackmd M1bgOPoiQbmM0JRHWaYA1g %}