webPromedium

Lab 380 — BuildStream — RCE via Malicious npm Package Preinstall Script

hackadvisor

Task: CI/CD platform with internal npm registry where a project depends on a package not yet published. Solution: publish a malicious package with a preinstall script that reads /flag, then trigger the build pipeline to execute it and retrieve the flag from build logs.

$ ls tags/ techniques/

rce nodejs npm cicd dependency_confusion supply_chain_attack preinstall_script package_registry

dependency_confusion_attacknpm_lifecycle_script_abusecicd_pipeline_exploitationunclaimed_package_hijacking

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 312 — BuildStream — Zip Slip Path Traversal in Artifact Upload— hackadvisor
[web][Pro]Lab 122 — BuildStream — RCE via Expression Sandbox Escape— hackadvisor
[web][Pro]Lab 320 — BuildForge — Path Traversal to RCE via CLI @File Expansion— hackadvisor
[web][Pro]Lab 209 — BuildForge — Path Traversal in Static File Serving— hackadvisor
[web][Pro]Lab 29 — PackForge — Path Traversal to RCE via Template Injection— hackadvisor