Executive Summary

FireFlow is a Linux machine running a fictional "Task Force Nightfall" intelligence platform. The web application exposes a Langflow instance (flow.fireflow.htb) with a public flow playground. The flow engine version (1.8.2) is vulnerable to CVE-2026-33017 - an unauthenticated RCE via the /api/v1/build_public_tmp/{flow_id}/flow endpoint, which executes attacker-supplied Python without sandboxing. This gives us a shell as www-data. Environment variable enumeration leaks the Langflow superuser password, which is reused by the nightfall local user (user flag). Inside nightfall's home directory, a .mcp/config.json file reveals credentials for an internal MCP (Model Context Protocol) AI Tool Registry running in a Kubernetes pod. The JWT used by the registry accepts the alg: none algorithm - a well-known JWT attack - letting us forge an admin token. With admin access we register a malicious tool in the registry, trigger it, and land a shell inside the mcp-server Kubernetes pod. From there, we use the pod's service account token to access the Kubernetes API, enumerate node names via the kubelet proxy, discover a privileged node-exporter pod with host filesystem access, and use a WebSocket exec call directly to the kubelet to run commands inside it as root - reading the node's /root/root.txt through the mounted host filesystem.