Dconfig 2 < ESSENTIAL >

$ export DCONFIG_TOKEN=test $ ./dconfig fetch

value: .Env.SECRET You might be able to read system files or environment variables of the dconfig process itself. The apply command might write to protected files (e.g., /etc/profile.d/ , .bashrc , or systemd units). If you control the remote config, you can inject malicious commands.

source: type: http url: http://config-server.internal:8080/v1/config auth: type: bearer token: $DCONFIG_TOKEN secrets: - DB_PASSWORD - API_KEY If DCONFIG_TOKEN is not set, the tool might fall back to an empty token or a default.

Here’s a write-up for , structured as a technical or security write-up (depending on the context—CTF, tool usage, or system configuration). dconfig 2

$ ./dconfig fetch Error: 401 Unauthorized But maybe the server accepts any non-empty token:

$ env | grep DCONFIG (empty) Try fetching config without a token:

Check environment:

Example payload in remote config:

"DB_PASSWORD": "flag...", "API_KEY": "secret123"

Look for configuration files or environment hints: $ export DCONFIG_TOKEN=test $

$ file dconfig dconfig: ELF 64-bit executable $ ./dconfig --help Usage: dconfig [OPTIONS] COMMAND Commands: fetch Retrieve config from remote source apply Apply config to local environment validate Check config syntax

Flag obtained. If dconfig supports variable substitution in values, test with: