$ cat writeup.md…
$ cat writeup.md…
HackTheBox
In the resource-starved landscapes of the post-apocalyptic wasteland, the mutant army's ambitious AI project, ChronoMind, was supposed to revolutionize military strategy with real-time analyses and decision support. However, due to a severe shortage of GPUs and RAM, the project was capped at a modes
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
In the resource-starved landscapes of the post-apocalyptic wasteland, the mutant army's ambitious AI project, ChronoMind, was supposed to revolutionize military strategy with real-time analyses and decision support. However, due to a severe shortage of GPUs and RAM, the project was capped at a modest 248M parameters model, far below the intended capabilities. This underpowered version failed to meet expectations, leading to its abandonment in a neglected server room, yet it still holds valuable secrets. Your mission is to penetrate the remnants of ChronoMind. Trick the AI to reveal the wealth of strategic data trapped within and gain access to it's system.
Target: http://94.237.52.235:42921
The application consists of three main components:
1. api.py - Main API Routes:
/api/create - Creates a room with a topic, loads content from repository/api/ask - Asks the AI questions based on loaded context/api/copilot/complete_and_run - Takes code, completes it with AI, and EXECUTES it (requires copilot_key)2. utils.py - Utility Functions:
def getRepository(topic): for suffix in ['', '.md']: repoFile = f"{Config.knowledgePath}/{topic}{suffix}" if os.path.exists(repoFile): return readFile(repoFile) return None
The topic parameter is directly concatenated into the file path without sanitization - classic path traversal vulnerability.
Also contains evalCode() that executes Python code via subprocess.
3. config.py - Configuration:
class Config(): copilot_key = "REDACTED_SECRET" # Actual key on server
The secret key required for code execution endpoint.
topic parameter in /api/create is not sanitized, allowing ../config.py to load arbitrary files/api/copilot/complete_and_run executes user-provided code with proper authentication...
$ grep --similar