See Werkzeug “console locked” message by forcing debug error page in the app.
```text
The console is locked and needs to be unlocked by entering the PIN.
You can find the PIN printed out on the standard output of your
shell that runs the server
```
Locate vulernable Werkzeug debug console at path `vulnerable-site.com/console`, but is locked by secret PIN number.
You can reverse the algorithm generating the console PIN. Inspect Werkzeug’s debug `__init__.py` file on server e.g. `python3.5/site-packages/werkzeug/debug/__init__.py`. View [Werkzeug source code repo](https://github.com/pallets/werkzeug/blob/master/src/werkzeug/debug/__init__.py), but better to leak source code through file traversal vulnerability since versions likely differ.
In this file, see relevant method outlining steps to generate console PIN:
*`getattr(app, '__name__', getattr (app .__ class__, '__name__'))` is Flask
*`getattr(mod, '__file__', None)` is the absolute path of an app.py in the flask directory
*`uuid.getnode()` is the MAC address of the current computer, `str (uuid.getnode ())` is the decimal expression of the mac address
*`get_machine_id()` read the value in `/etc/machine-id` or `/proc/sys/kernel/random/boot_i` and return directly if there is
To find server MAC address, need to know which network interface is being used to serve the app \(e.g. `ens3`\). If unknown, leak `/proc/net/arp` for device ID and then leak MAC address at `/sys/class/net/<device id>/address`.
Convert from hex address to decimal representation by running in python e.g.:
