Bike - Hack The Box - Walkthrough

5 min readMar 24, 2022


Table of Contents

  1. Technologies
  2. Enumeration
  3. Identification
  4. Exploitation
  5. URL Encoding
  6. Globals
  7. Debrief


Expected technologies I used:






URL encoding



Special Mentions: Linux, SMB, Web, JS, SSTI



  • sC: Performs a script scan using the default set of scripts
  • -sV: Version detection
  • -v: Increases the verbosity level
nmap -sC -sV -v {ip target}

Upon visiting port 80, Itry various methods to exploit the site but then focus on a this reflected output after we submitted a fake contact email. Potential XSS exploit.

I use wappalyzer to scan the site for information to assist with XSS. Wappalyzer is installed as a browser extension so we just reload the main page.

Node.js and Python web backend servers often make use of a software called “Template Engines”

With Node.js websites there is a good possibility that a Template Engine is being used to reflect the email.


Here I use plan to use a exploit called SSTI that I found on Hacktricks for this particular Template Engine.

I focus on this exploit since the input is mainly plaintext and it focuses on email input validation possibly.

Here I see that it worked


Thanks to this error message I find out that at parser.parse the Template Engine being used is Handlebars and it is located in the /root/backend directory.


I open burpsuite to capture a POST and edit it to deliver the payload using the same exploit from before that caused the error message

I first send the http packet to the repeater module


URL Encoding

Then using the hacktricks given exploit under Handlebars (NodeJS), I copy the exploit and URL encode it in order for the web server to read it

Decode - URL

Note: there is already a URL encoded if you copy paste it, so be sure to delete it or use it

And of course you paste it here exactly after email= and before &action

The response was pretty disheartening as the payload is erroring out

‘require is not defined’

Apparently, require is a keyword in javascript/node.js and it is used to load code from other modules or files, thus it will not allow me to execute our payload


The best site to use for this would be

It listed all of the information I needed in order to make this exploit work, specifically process

Doing the exact same thing as before and substituting the require set command with just the command process


{{this.push “return process;”)}}”

I need to keep pushing in order to be able execute my child_process so I focus on the code and notice it had an object process which could be used as an exploit.

Reading through I find that the object process has a maindmodule, which is a good sign as it can get us the foothold we need in order to execute our payload properly


Although the page listed the process.maindolue as deprecated, I still attempt it as it will give me the results I need

I do the same steps as before and use the newly found commands with the exploit

It did not actually tell me whoami but I try to run a command as root to see it it will execute a different command as it comepltely just deleted the object process []

I got the other linux commands to execute as root nonetheless so I began to dig for the root directory to get the flag


At this point all I did was execute cat in order to view the flag.txt


For the most part, the technologies have already been outlined this is just my personal say on this box

Very fun box and just loved the use of burpsuite and node.js in this one so much.

This was a very excellent starting point box and I thoroughly enjoyed my time as always





Experienced Cyber Security/Intelligence Analyst with a demonstrated history of working in the US Military and IT industry.