Pivot Easy

Technical Walkthrough

Writeup

Challenge

• Name: Pivot-Easy
• Category: Coding
• Difficulty: Easy
• Mode: remote

Summary

Pivot Easy is a remote HTB Coding runner. The prompt describes a directed weighted graph of hosts and pivot risks, then asks for the minimum cumulative detection risk from a compromised host to the Core Administration Server. The correct solution is Dijkstra's shortest-path algorithm with a host-name-to-ID map and a heap.

Artifact Inventory

Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.

• analysis/remote/root-http.txt: captured the full challenge prompt and frontend runner.
• analysis/remote/prompts.js: captured the default language templates.
• analysis/remote/initial-nc-probe.txt: confirmed the port accepts TCP but the useful interface is HTTP.
• solve/solution.py: submitted algorithm implementation.
• solve/solve.py: reproducible submitter for /run.
• analysis/remote/run-response.json: saved runner response from the successful submission.

Analysis

The prompt states that each pivot path is unidirectional and has a detection risk. The required output is a single integer: the minimum cumulative risk from the starting host to the target host. Since edge weights are non-uniform and the constraints are large (N up to 150000 and M up to 1000000), BFS and adjacency matrices are inappropriate.

The implementation maps each host name to an integer ID as it is encountered, stores outgoing edges in adjacency lists, and runs Dijkstra with heapq. The algorithm exits as soon as the target is popped from the heap, which avoids unnecessary work on large hidden cases.

Solve

The submitted code is in solve/solution.py. It supports both likely first-line formats:

• N M start target
• N M followed by a second line containing start target

The submitter in solve/solve.py posts the solution to /run as Python, saves the raw JSON response to analysis/remote/run-response.json, and writes any returned flag candidate to loot/flag-candidate.txt. The harness then validates and stores the flag in loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• For weighted graph routing problems, confirm whether edges are directed before choosing the algorithm.
• Large constraints rule out adjacency matrices and all-pairs algorithms.
• Treat host labels as opaque strings; map them to integer IDs for performance.
• Save the /run response so failed hidden tests can be debugged without rerunning blindly.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Pivot-Easy
• Category: Coding
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:30290
• Start time: 2026-06-07T23:43:27Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote service is the standard HTB Coding HTTP runner.
• Useful endpoint is POST /run, as shown in analysis/remote/root-http.txt.
• The challenge is a directed weighted shortest-path problem over host names.
• Constraints require an efficient single-source shortest-path algorithm.
• solve/solution.py uses Dijkstra with a heap, adjacency lists, and host-name ID mapping.
• The solver supports both N M start target and N M plus a second start target line.
• solve/solve.py submitted the code and stored the successful response in analysis/remote/run-response.json.
• The harness captured the validated flag into loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Coding
• Challenge: Pivot-Easy
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Fingerprinted the remote as the standard HTB Coding HTTP runner.
2. Captured the prompt from the root page and identified a directed weighted shortest-path problem.
3. Chose Dijkstra because edge weights are non-uniform and constraints are large.
4. Implemented host-name-to-ID mapping, adjacency lists, and a heapq priority queue.
5. Submitted the Python solution through /run.
6. Captured the returned flag through the harness without printing it.

Reusable Lessons

• Use Dijkstra for single-source shortest path when weights are non-negative and non-uniform.
• Map arbitrary string node labels to compact integer IDs before building large graphs.
• Support minor input-format variation when the prompt wording and example differ slightly.

Dead Ends

• Raw TCP probe was not the useful interface; HTTP /run was the correct runner path.
• BFS was rejected because risks are weighted.

Tool Quirks

• The frontend JavaScript posts JSON to /run with fields code and language.
• The runner returns JSON; successful responses can contain the flag inside the response body.

Evidence Paths

• analysis/remote/root-http.txt
• analysis/remote/prompts.js
• analysis/remote/run-response.json
• solve/solution.py
• solve/solve.py

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Coding
• Challenge: Pivot-Easy
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Fingerprinted the remote as the standard HTB Coding HTTP runner.
2. Captured the prompt from the root page and identified a directed weighted shortest-path problem.
3. Chose Dijkstra because edge weights are non-uniform and constraints are large.
4. Implemented host-name-to-ID mapping, adjacency lists, and a heapq priority queue.
5. Submitted the Python solution through /run.
6. Captured the returned flag through the harness without printing it.

Reusable Lessons

• Use Dijkstra for single-source shortest path when weights are non-negative and non-uniform.
• Map arbitrary string node labels to compact integer IDs before building large graphs.
• Support minor input-format variation when the prompt wording and example differ slightly.

Dead Ends

• Raw TCP probe was not the useful interface; HTTP /run was the correct runner path.
• BFS was rejected because risks are weighted.

Tool Quirks

• The frontend JavaScript posts JSON to /run with fields code and language.
• The runner returns JSON; successful responses can contain the flag inside the response body.

Evidence Paths

• analysis/remote/root-http.txt
• analysis/remote/prompts.js
• analysis/remote/run-response.json
• solve/solution.py
• solve/solve.py

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Pivot-Easy
• Category: Coding
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:30290
• Start time: 2026-06-07T23:43:27Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote service is the standard HTB Coding HTTP runner.
• Useful endpoint is POST /run, as shown in analysis/remote/root-http.txt.
• The challenge is a directed weighted shortest-path problem over host names.
• Constraints require an efficient single-source shortest-path algorithm.
• solve/solution.py uses Dijkstra with a heap, adjacency lists, and host-name ID mapping.
• The solver supports both N M start target and N M plus a second start target line.
• solve/solve.py submitted the code and stored the successful response in analysis/remote/run-response.json.
• The harness captured the validated flag into loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.