Ladybug - HacktivityCon CTF

Visiting the link given we are greeted with landing page

Looking at the paths for the images when viewing the source code we see there is a film directory.

The headers for the site show that it is a werkzeug WSGI web app.

If the app is run with debug=True then we will find the full debug output if we cause an error. As part of the debug console, if enabled, we can get a python terminal open. This is done by simply clicking on the little terminal icon in the far right of a debug output line.

Using the python debugging console we are able to execute arbitrary python commands and thus can enumerate the flag location and printing it out.