Agriweb

Technical Walkthrough

Writeup

Challenge

• Name: Agriweb
• Category: SecureCoding
• Difficulty: Easy
• Mode: remote

Summary

Agriweb exposes its source through an outer HTB editor service. The actual bug is in routes/profile.js: attacker-controlled profile JSON is recursively merged with an unsafe deepMerge(...) that does not block __proto__, prototype, or constructor. That allows prototype pollution, and because the admin middleware trusts req.user.isAdmin, a polluted Object.prototype.isAdmin turns ordinary authenticated users into admins. The intended fix is to harden the merge logic, restart the service, and verify the patch.

Artifact Inventory

Relevant local and remote artifacts:

• analysis/remote/api-readonly.txt: confirms the live editor endpoints /api/directory, /api/file, /api/restart, and /api/verify
• files/exposed-source/routes/profile.js: vulnerable recursive merge logic
• files/exposed-source/app.js: admin guard that trusts req.user.isAdmin
• files/exposed-source/utils/jwt.js: normal JWT handling, useful to rule out weaker bypass paths
• files/exposed-source/exploit/solver.py: bundled proof-of-concept for the prototype-pollution payload class
• solve/patched-profile.js: prepared remediation
• solve/solve.py: reproducible remote patch/restart/verify helper
• analysis/remote/verify-after-patch.json: sanitized proof that verification passed after patching

Analysis

The live service root is an HTB editor frontend, while /challenge/ serves the Agriweb application. The editor API exposed the remote project tree, and routes/profile.js contained the vulnerable merge code.

updateProfile() reads the stored profile JSON and feeds attacker-controlled profileData into a recursive deepMerge(target, source). In the vulnerable version, the merge walks nested objects without rejecting special keys, so payloads containing __proto__, prototype, or constructor can poison object prototypes.

The included bundled files/exposed-source/exploit/solver.py proves the intended bug class by sending exactly those pollution payloads. The impact is then clear in app.js: the admin guard checks req.user.isAdmin. If Object.prototype.isAdmin is polluted, the decoded JWT payload object inherits that property and the middleware grants admin access.

The remediation in solve/patched-profile.js fixes the bug at the right layer:

• recursively blocks __proto__, prototype, and constructor
• only iterates own enumerable keys
• only recursively merges plain objects
• sanitizes nested structures before merging

During execution I also had to correct the automation helper. The editor save protocol expects the MD5 of the currently loaded file as a save token, not the MD5 of the patched content. The final solve/solve.py fetches the live routes/profile.js, derives that MD5, sends the patch over Socket.IO, restarts the service, and then verifies the result.

Solve

From the workspace root:

cd <local workspace>
python3 -m venv .venv
. .venv/bin/activate
python -m pip install requests 'python-socketio[client]'
python solve/solve.py --base-url http://<TARGET>:31970 --output loot/flag-candidate.txt

What the helper does:

1. GET /api/file?path=routes/profile.js to read the current file and derive the editor’s MD5 save token.
2. Connect to the editor’s Socket.IO endpoint and send a message event of type save for routes/profile.js.
3. POST /api/restart.
4. GET /api/verify.
5. Store the returned flag candidate only in loot/flag-candidate.txt.

After that, the harness capture path is:

cd <local workspace>
python3 scripts/challenge_harness.py capture-flag SecureCoding/Agriweb --from loot/flag-candidate.txt
python3 scripts/challenge_harness.py complete SecureCoding/Agriweb
python3 scripts/challenge_harness.py validate-state SecureCoding/Agriweb

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Prototype pollution is rarely just a data-integrity bug; any authorization path that trusts inherited properties turns it into privilege escalation.
• In editor-backed SecureCoding challenges, save-token semantics matter as much as the patch itself.
• Keep verify artifacts sanitized; the authoritative raw flag belongs in loot/ only.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Agriweb
• Category: SecureCoding
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:31970
• Start time: 2026-06-07T23:12:25Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Service fingerprint: GET / serves the HTB Editor frontend; GET /challenge/ serves the AgriWeb application.
• Real editor endpoints use /api/*, including /api/directory, /api/file, /api/restart, and /api/verify.
• GET /api/directory exposed the source tree; mirrored copy is stored under files/exposed-source/.
• GET /api/verify confirmed the current service is still vulnerable before patching.
• db/agriweb.db returned HTTP 500 through the editor file API; all text source was mirrored successfully.
• Root cause: routes/profile.js recursively deep-merges attacker-controlled profile JSON without blocking __proto__, prototype, or constructor.
• Impact: prototype pollution can make normal JWT payload objects inherit isAdmin, passing the app.js admin middleware check.
• The included exploit/solver.py confirms the intended exploit path and payload class.
• Prepared remediation artifacts:

- solve/patched-profile.js

- solve/solve.py

- <secret redacted>md

• Remote execution succeeded after patching routes/profile.js, restarting the service, and verifying through /api/verify.
• Editor save protocol note: the Socket.IO save event must carry the MD5 of the currently loaded file as its save token; sending the MD5 of the new content prevents the save acknowledgement.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: SecureCoding
• Challenge: Agriweb
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: SecureCoding
• Challenge: Agriweb
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Agriweb
• Category: SecureCoding
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:31970
• Start time: 2026-06-07T23:12:25Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Service fingerprint: GET / serves the HTB Editor frontend; GET /challenge/ serves the AgriWeb application.
• Real editor endpoints use /api/*, including /api/directory, /api/file, /api/restart, and /api/verify.
• GET /api/directory exposed the source tree; mirrored copy is stored under files/exposed-source/.
• GET /api/verify confirmed the current service is still vulnerable before patching.
• db/agriweb.db returned HTTP 500 through the editor file API; all text source was mirrored successfully.
• Root cause: routes/profile.js recursively deep-merges attacker-controlled profile JSON without blocking __proto__, prototype, or constructor.
• Impact: <REDACTED>, passing the app.js admin middleware check.
• The included exploit/solver.py confirms the intended exploit path and payload class.
• Prepared remediation artifacts:

- solve/patched-profile.js

- solve/solve.py

- <secret redacted>md

• Remote execution succeeded after patching routes/profile.js, restarting the service, and verifying through /api/verify.
• Editor save protocol note: <REDACTED>

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.