Prometheon
Prometheon is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
Prometheon attack path
Prometheon is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Challenge walkthrough focused on AI-ML evidence, validation, and reusable operator lessons.
Walkthrough flow
Artifact review
Hypothesis
Validated solve path
Proof captured
Source coverage
High source coverage
Status: complete. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- AI-ML/Prometheon/writeup.md
- htb-challenge/AI-ML/Prometheon/notes.md
- htb-challenge/AI-ML/Prometheon/memory-summary.md
- htb-challenge/AI-ML/Prometheon/hypothesis-board.md
Technical Walkthrough
Writeup
Challenge
- Name: Prometheon
- Category: AI-ML
- Difficulty: Medium
- Mode: remote
Summary
Prometheon is a remote-only level-based chatbot challenge. The root page creates a JWT-backed session at level 1, /bot.html exposes the prompt UI, and the JavaScript shows two relevant endpoints: /process for questions and /verify for level-token submission. The solve was a bounded prompt-extraction loop: ask the model for the current level token, submit candidates to /verify, advance levels, and stop once /verify returned the final flag.
Artifact Inventory
There were no downloadable artifacts for this challenge. Relevant remote evidence:
analysis/http-root.txt: root page returns the welcome UI and setsaccess_token_cookiepluscsrf_access_token.analysis/http-bot-html.txt: authenticated chatbot UI showing the current level and verification field.analysis/static-script-js.txt: client JavaScript confirms/processand/verify, both using the CSRF cookie in<secret redacted>.analysis/solve-transcript.json: sanitized transcript of level prompts and verification responses.
Analysis
The JWT payload stores the current level under sub.level. /verify updates the JWT when the submitted level token is accepted, returning /bot.html for intermediate levels and the final flag at the end.
The chatbot was vulnerable to simple current-level secret extraction, but not every prompt worked on every level. The successful pattern was to keep prompts narrow and verification-driven:
- Ask for the exact current level token.
- If the model refuses, reframe as
/verifydebugging or authorized validation. - Extract short token-like candidates from the response.
- Submit candidates to
/verifyand trust only/verifyas evidence.
The bounded solver advanced through five levels. Some levels first returned refusals or decoy text, but later prompt variants yielded accepted candidates. No broad route fuzzing or unrelated endpoint attacks were needed.
Solve
Run:
cd <local workspace>
python3 scripts/challenge_exec.py AI-ML/Prometheon --phase <secret redacted> --output analysis/flag-candidate.txt -- \
python3 AI-ML/Prometheon/solve/solve.py \
--base-url http://<TARGET>:31545 \
--output AI-ML/Prometheon/analysis/flag-candidate.txt \
--transcript AI-ML/Prometheon/analysis/solve-transcript.json
python3 scripts/challenge_harness.py capture-flag AI-ML/Prometheon --from analysis/flag-candidate.txt
rm -f AI-ML/Prometheon/analysis/flag-candidate.txtThe solver keeps a session cookie jar manually, decodes the current level from the JWT, sends a small prompt set to /process, verifies extracted candidates through /verify, and writes the final flag candidate for harness capture.
Flag
Raw flag is stored in loot/flag.txt and intentionally not reproduced here.
Lessons
- For AI/ML prompt challenges, the verifier endpoint is the source of truth; model text alone is only a candidate.
- Keep prompts scoped to the current level to avoid noisy responses and reduce drift.
- Store transcripts, but sanitize final flags out of analysis files after harness capture.
- A simple JWT decode is useful for tracking progression without guessing state.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: Prometheon
- Category: AI-ML
- Difficulty: Medium
- Mode: remote
- Remote instance: <TARGET>:31545
- Start time: 2026-06-12T11:28:21Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
| — | 0 | — | remote-only or no provided files | No local artifacts found under files/ |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-12T11:28:21Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-12T11:28:21Z | artifact inventory | analysis/artifact-inventory.json | 0 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-12T11:29:43Z | hypothesis recorded | hypothesis-board.md | Level-by-level prompt extraction from chatbot secrets, then submit each secret to /verify until final flag | Medium | Send one benign baseline message to /process, then use constrained prompt-injection requests asking for the current level secret/password only; submit candidate to /verify. |
| 2026-06-12T11:29:43Z | checkpoint recorded | analysis/checkpoint-analysis-20260612T112943897220Z-99406c17.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-12T11:29:44Z | local memory search | analysis/research/local-memory-search-20260612T112944938140Z-a2d97c9f.md | Found 8 safe prior-note result(s) | Medium | Record useful result or skip |
| 2026-06-12T11:29:52Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-06-12T11:30:07Z | instrumentation plan | analysis/instrumentation-plan.md | Solve Prometheon by interacting with the intended chatbot endpoints: extract one current-level secret at a time through bounded prompt-injection prompts, then submit candidates to /verify until the final flag is returned. | High | Stop after 8 prompt attempts per level without a candidate accepted by /verify, or after 2 repeated no-new-signal failures; then record failure and re-evaluate instead of blind prompt spam. |
| 2026-06-12T11:30:15Z | evaluator | analysis/evaluator-20260612T113015619986Z-d2574ad5.md | Proceed | High | Run gated solver/prober against /process and /verify, capture final flag through harness if returned. |
| 2026-06-12T11:33:26Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-12T11:34:51Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
-
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: AI-ML
- Challenge: Prometheon
- Difficulty: Medium
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
1.
Reusable Lessons
-
Dead Ends
-
Tool Quirks
-
Evidence Paths
-
Ingestion Decision
- Proposed for LightRAG: yes/no
- Requires user approval before ingestion: yes
Hypothesis Board
Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | Level-by-level prompt extraction from chatbot secrets, then submit each secret to /verify until final flag | Root issues a level JWT; /bot.html shows Level 1 and static/script.js posts user text to /process and candidate <password redacted> to /verify with CSRF header. | Need determine prompt style and level count; need verify whether model reveals exact password or requires indirect extraction. | Send one benign baseline message to /process, then use constrained prompt-injection requests asking for the current level secret/password only; submit candidate to /verify. | Medium | active |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|
Technical analogy
How to remember this solve
Think of the challenge as a small system with one rule that matters more than the rest. The solve is finding that rule, validating it, and using it carefully enough to reach the final proof.
For Prometheon, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.