Prison Pipeline — HackTheBox Business CTF 2024

Description

One of our crew members has been captured by mutant raiders and is locked away in their heavily fortified prison. During an initial reconnaissance, the crew managed to gain access to the prison's record management system. Your mission: exploit this system to infiltrate the prison's network and disable the defenses for the rescuers.

Application Architecture

Component	Description
Main App	Node.js Express application on port 5000 (proxied via nginx on port 1337)
Verdaccio Registry	Private npm registry on port 4873, accessible externally via registry.prison-pipeline.htb hostname (nginx vhost)
Cronjob	Every 30 seconds: checks npm outdated prisoner-db, if outdated runs npm update prisoner-db then pm2 restart prison-pipeline
Flag	Located at /root/flag, readable via SUID binary /readflag

Key Files

• /api/prisoners/import endpoint — accepts URL parameter and fetches content using node-libcurl
• prisoner-db — private npm package used by the application (contains index.js, curl.js, depends on node-libcurl and js-yaml)
• Cronjob script that runs npm --registry http://localhost:4873 update prisoner-db every 30 seconds

Analysis

Vulnerability 1: SSRF via node-libcurl

The import endpoint uses node-libcurl which supports multiple protocols including file:// for local file reads and standard http://. This allows reading local files from the server.

Vulnerability 2: Leaked npm Auth Token

The .npmrc file at /home/node/.npmrc contains a Bearer token for Verdaccio authentication. This token can be extracted via SSRF file read.

Vulnerability 3: Supply Chain Attack Vector

The cronjob periodically runs npm update, which will install any newer version of prisoner-db from the internal registry. If we can publish a malicious version, it will be automatically installed and executed.

Nginx Vhost Routing (Critical Detail)

...