top of page
Search

Hack The Box - Bike

  • Hacking By Doing
  • Aug 2, 2022
  • 2 min read

ree

This time I will challenge the "Bike" CTF from HTB!

It's advised to try and solve the challenges by yourself on hackthebox.com before you read any of the answers.




TASK 1


What TCP ports does nmap identify as open? Answer with a list of ports seperated by commas with no spaces, from low to high.


To start, I launched an Nmap scan on the machine's IP address and found two open ports, the command I used was "nmap -sC -sV "IPADDRESS" --vv

ree

Answer: 22,80



TASK 2


What software is running the service listening on the http/web port identified in the first question?


If we scroll down, we can see that there is a node.js server being used on port 80

ree

Answer: node.js



TASK 3


What is the name of the Web Framework according to Wappalyzer?



I used the Wappalyzer firefox extension and could see that the framework being used was Express, which is a web application framework for node.js

ree

Answer: Express


TASK 4


What is the name of the vulnerability we test for by submitting {{7*7}}?


I typed {{7*7}} in the email field, which is a way to find SSTI vulnerabilities, and got this error code.

ree

You might think an error code is useless, but it's actually quite helpful, as I now know that the server is running from "/root/Backend" and uses the Handlebars templating engine.

ree

Answer: server side template injection


TASK 6


What is the name of the BurpSuite tab used to encode text?


I headed over to the HackTricks SSTI article and started reading; then, I found this node.js Handlebars exploit

ree

Then I opened burp suite and encoded it to URL

ree

Answer: decoder


TASK 7


In order to send special characters in our payload in an HTTP request, we'll encode the payload. What type of encoding do we use?


Answer: URL



TASK 8


When we use a payload from HackTricks to try to run system commands, we get an error back. What is "not defined" in the response error?


I injected the encoded payload in the email field and passed it along with Intercept.

ree

Then I got this error.

ree

Answer: require



TASK 9


What variable is the name of the top-level scope in Node.JS?


I found the answer using google, which directed me to StackOverflow.

ree

Answer: global



TASK 10


By exploiting this vulnerability, we get command execution as the user that the webserver is running as. What is the name of that user?


After researching more on the subject, I've found what I'm looking for, which is the process.mainModule

ree

With this new information, I'll go back to the HackTricks article and look for payloads that include the process.mainModule.


After finding something suitable, the next step is to change the payload and look at the result.

As you see in the picture, it works!


ree

Answer: root



Submit root flag


The last step is to open the flag.txt file in the root directory.

ree

Answer: 6b258d726d287462d60c103d0142a81c


Conclusion


Considering this is supposed to be an easy room, it's definitely more challenging than I thought.

I hope you all enjoyed this CTF, and feel free to share or maybe even get me a cup of coffee.

bottom of page