PowerGrid

Technical Walkthrough

Writeup

Challenge

• Name: PowerGrid
• Category: SecureCoding
• Difficulty: Easy
• Mode: remote

Summary

PowerGrid exposes the challenge application source through an outer HTB editor service. The bug is in utils/db.js: user records are serialized as username|<password redacted>|role, but registration accepts usernames containing |, carriage return, and newline. That lets an attacker inject an additional admin record into users.txt. The intended solve is to patch the storage layer, restart the service, and verify that the vulnerability is fixed.

Artifact Inventory

Relevant local and remote artifacts:

• analysis/remote/api-readonly.txt: confirms the live editor endpoints /api/directory, /api/file, /api/restart, and /api/verify
• files/exposed-source/utils/db.js: vulnerable user storage and parsing logic
• files/exposed-source/routes/auth.js: registration path that passes the supplied username into addUser(...)
• files/exposed-source/exploit/solver.py: bundled proof-of-concept for record injection
• solve/patched-db.js: prepared remediation
• solve/solve.py: reproducible remote patch/restart/verify helper
• analysis/remote/verify-after-patch.json: sanitized proof that verification passed after patching

Analysis

The live editor API enumerated the remote project tree and made utils/db.js readable. In that file, readUsers() and writeUsers() use newline-separated username|<password redacted>|role records, while addUser(username, password, role) writes the caller-provided username directly into that format.

That is the core bug: because the username field is serialized without rejecting |, \r, or \n, a crafted username can terminate the current record and inject a second one. The mirrored routes/auth.js shows public registration reaches addUser(...), and the bundled files/exposed-source/exploit/solver.py demonstrates the exploit shape by creating an extra admin entry in users.txt.

The remediation in solve/patched-db.js closes the bug at the right layer:

• usernames must match a strict allowlist
• serialized fields cannot contain pipe or line-break delimiters
• public registration is restricted to operator
• malformed stored records are skipped on read and filtered on write
• authentication and lookup reject invalid usernames early

During execution I also had to correct the automation helper: the editor save protocol expects the MD5 of the currently loaded file as a save token, not the MD5 of the new content. The final solve/solve.py fetches the current utils/db.js, computes that MD5, sends the patch over Socket.IO, restarts the service, and then calls /api/verify.

Solve

From the workspace root:

cd <local workspace>
python3 -m venv .venv
. .venv/bin/activate
python -m pip install requests 'python-socketio[client]'
python solve/solve.py --base-url http://<TARGET>:32453 --output loot/flag-candidate.txt

What the helper does:

1. GET /api/file?path=utils/db.js to read the current file and derive the editor’s MD5 save token.
2. Connect to the editor’s Socket.IO endpoint and send a message event of type save for utils/db.js.
3. POST /api/restart.
4. GET /api/verify.
5. Store the returned flag candidate only in loot/flag-candidate.txt.

After that, the harness capture path is:

cd <local workspace>
python3 scripts/challenge_harness.py capture-flag SecureCoding/PowerGrid --from loot/flag-candidate.txt
python3 scripts/challenge_harness.py complete SecureCoding/PowerGrid
python3 scripts/challenge_harness.py validate-state SecureCoding/PowerGrid

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• When a challenge is wrapped in an editor shell, inspect the outer tooling as well as the exposed app source.
• Delimiter-based flat-file storage becomes privilege escalation as soon as untrusted fields can cross record boundaries.
• For editor-backed challenges, save semantics matter: optimistic concurrency tokens can break otherwise correct automation if you send the wrong hash.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: PowerGrid
• Category: SecureCoding
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:32453
• Start time: 2026-06-07T22:54:29Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Service fingerprint: GET / serves an HTB Editor frontend; GET /challenge/ serves the PowerGrid app.
• Real editor endpoints use /api/*, including /api/directory, /api/file, /api/restart, and /api/verify.
• GET /api/directory exposed the challenge source tree; mirrored copy is stored under files/exposed-source/.
• GET /api/verify confirmed the current service is still vulnerable before patching.
• Root cause: utils/db.js serializes users as username|<password redacted>|role and accepts user-controlled registration usernames without rejecting pipes or newlines.
• The included exploit/solver.py proves a username can inject an extra admin record.
• Prepared remediation artifacts:

- solve/patched-db.js

- solve/solve.py

- <secret redacted>md

• Remote execution succeeded after patching utils/db.js, restarting the service, and verifying through /api/verify.
• Editor save protocol note: the Socket.IO save event must carry the MD5 of the currently loaded file as its save token; sending the MD5 of the new content prevents the save acknowledgement.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: SecureCoding
• Challenge: PowerGrid
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: SecureCoding
• Challenge: PowerGrid
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: PowerGrid
• Category: SecureCoding
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:32453
• Start time: 2026-06-07T22:54:29Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Service fingerprint: GET / serves an HTB Editor frontend; GET /challenge/ serves the PowerGrid app.
• Real editor endpoints use /api/*, including /api/directory, /api/file, /api/restart, and /api/verify.
• GET /api/directory exposed the challenge source tree; mirrored copy is stored under files/exposed-source/.
• GET /api/verify confirmed the current service is still vulnerable before patching.
• Root cause: utils/db.js serializes users as username|<password redacted>|role and accepts user-controlled registration usernames without rejecting pipes or newlines.
• The included exploit/solver.py proves a username can inject an extra admin record.
• Prepared remediation artifacts:

- solve/patched-db.js

- solve/solve.py

- <secret redacted>md

• Remote execution succeeded after patching utils/db.js, restarting the service, and verifying through /api/verify.
• Editor save protocol note: <REDACTED>

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.