# [EN] Blank Site 2
###### tags: `Writeup` `Web` `English`
> [name=Curious]
## Train of Thought & Solution
Continuing from the previous question's [Writeup](https://hackmd.io/@LoTuX-CTF/Blank_Site_1_EN), after downloading `app.py`, you can find the following piece of code:
```python=
@app.get('/1d538e83d6f6b08f')
def secret():
try:
with open('/proc/sys/kernel/random/boot_id') as f:
hint = f.readline().strip()
except:
hint = ""
return {"FLAG1": "LoTuX{???}", "Hint": hint}
```
This means that we can obtain the value of `/proc/sys/kernel/random/boot_id` by accessing `/1d538e83d6f6b08f`.
Analyzing other parts of the code, it's evident that `app.py` has debug mode enabled. Therefore, we can try to see if we can exploit the debug mode to achieve actions like RCE
## Solution
First, you can refer to [this blog post](https://curious-lucifer.github.io/post/note-flask_debug_mode/) to understand that you can calculate the PIN or cookie name/value using the following information: the username, server's MAC address, `/etc/machine-id` or `/proc/sys/kernel/random/boot_id`, and `open("/proc/self/cgroup", "rb").readline().strip().rpartition(b"/")[2]`.
First, the username can be found by downloading `../../../../etc/passwd`, which reveals that the username is `blanksiteuser`. Since CTFd environments are typically hosted in Docker, you can take advantage of Docker Container characteristics to determine that `/etc/machine-id` and `open("/proc/self/cgroup", "rb").readline().strip().rpartition(b"/")[2]` are empty. The MAC address will typically start at `02:42:ac:11:00:02` and increment from the last byte.
So, armed with this information, you can perform a brute-force attack on the MAC address to calculate the cookie name/value pair. Then, you can test if it's correct. If it's correct, you can proceed with a Python to RCE
{%hackmd M1bgOPoiQbmM0JRHWaYA1g %}