Category: Web Vulnerability: Information Disclosure / Insecure Direct Object Reference (Debug Endpoint) Hint Provided: "debug mode enabled… forgot to remove something from the application structure."

2.1 Overview

The web application at http://23.179.17.92:5002/was a bare-bones "Welcome to Startup Portal" page. No login, no forms—just a static message. The hint, however, was a dead giveaway: something was left behind.

None
Caption: The seemingly empty application. No obvious attack surface.

2.2 Enumeration & Discovery

Manually testing common paths like /admin returned an HTTP 500 error with a deliberately cryptic message:

Debug leak triggered: Dirbuster maybe in your future!

This is CTF-speak for "run a directory brute-forcer." Using ffuf With a standard wordlist, a hidden endpoint quickly surfaced:

ffuf -u http://23.179.17.92:5002/FUZZ \
 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
 -mc 200,302,500

Result:

/flg_bar   [Status: 200, Size: ...]
None
Caption: ffuf reveals a hidden endpoint: /flg_bar. The developer left a debug route behind.

2.3 Exploitation

Navigating to http://<target>:5002/flg_bar returned plain text output that looked suspiciously like a .env file:

SECRET_KEY=supersecret
FLAG=CIT{H1dd3n_D1r5_3v3rywh3r3}
DATABASE_URL=sqlite:///prod.db

The flag was directly exposed, and the SECRET_KEY leak could have allowed session forgery if the challenge had continued.

None
Caption: Visiting /flg_bar dumps environment variables including the flag.

2.4 Key Takeaways

  • Always remove development/debug routes before production deployment. Automated scanners in CI/CD pipelines can catch leftover artifacts like /flg_bar.
  • Enforce authentication on all non-public endpoints. The /flg_bar endpoint had no access controls whatsoever.
  • Never expose environment variables or secrets to the client. Even a seemingly innocuous debug page can hand an attacker the keys to the kingdom.