Bike

Bike - Hack The Box - Walkthrough

Table of Contents

  1. Technologies
  2. Enumeration
  3. Identification
  4. Exploitation
  5. URL Encoding
  6. Globals
  7. Debrief

Technologies

Expected technologies I used:

nmap

xss

wappalyzer

burpsuite

foxyproxy

URL encoding

node.js

Handlebars

Special Mentions: Linux, SMB, Web, JS, SSTI

Enumeration

nmap

  • sC: Performs a script scan using the default set of scripts
  • -sV: Version detection
  • -v: Increases the verbosity level
nmap -sC -sV -v {ip target}

Upon visiting port 80, Itry various methods to exploit the site but then focus on a this reflected output after we submitted a fake contact email. Potential XSS exploit.

I use wappalyzer to scan the site for information to assist with XSS. Wappalyzer is installed as a browser extension so we just reload the main page.

Node.js and Python web backend servers often make use of a software called “Template Engines”

With Node.js websites there is a good possibility that a Template Engine is being used to reflect the email.

Identification

Here I use plan to use a exploit called SSTI that I found on Hacktricks for this particular Template Engine.

https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

I focus on this exploit since the input is mainly plaintext and it focuses on email input validation possibly.

Here I see that it worked

{{7*7}}

Thanks to this error message I find out that at parser.parse the Template Engine being used is Handlebars and it is located in the /root/backend directory.

Exploitation

I open burpsuite to capture a POST and edit it to deliver the payload using the same exploit from before that caused the error message

I first send the http packet to the repeater module

ctrl-r

URL Encoding

Then using the hacktricks given exploit under Handlebars (NodeJS), I copy the exploit and URL encode it in order for the web server to read it

Decode - URL

Note: there is already a URL encoded if you copy paste it, so be sure to delete it or use it

And of course you paste it here exactly after email= and before &action

The response was pretty disheartening as the payload is erroring out

‘require is not defined’

Apparently, require is a keyword in javascript/node.js and it is used to load code from other modules or files, thus it will not allow me to execute our payload

Globals

The best site to use for this would be

nodejs.org

It listed all of the information I needed in order to make this exploit work, specifically process

Doing the exact same thing as before and substituting the require set command with just the command process

Touchdown

{{this.push “return process;”)}}”

I need to keep pushing in order to be able execute my child_process so I focus on the code and notice it had an object process which could be used as an exploit.

Reading through nodejs.org I find that the object process has a maindmodule, which is a good sign as it can get us the foothold we need in order to execute our payload properly

#deprecated

Although the page listed the process.maindolue as deprecated, I still attempt it as it will give me the results I need

I do the same steps as before and use the newly found commands with the exploit

It did not actually tell me whoami but I try to run a command as root to see it it will execute a different command as it comepltely just deleted the object process []

I got the other linux commands to execute as root nonetheless so I began to dig for the root directory to get the flag

voila

At this point all I did was execute cat in order to view the flag.txt

Debrief

For the most part, the technologies have already been outlined this is just my personal say on this box

Very fun box and just loved the use of burpsuite and node.js in this one so much.

This was a very excellent starting point box and I thoroughly enjoyed my time as always

Bike

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dante E. Mata

Dante E. Mata

Experienced Cyber Intelligence Analyst with a demonstrated history of working in the US Military and IT industry with a focus in Cyber Security.