Bike

Bike has a challenge machine with IP address: 10.129.150.6

We will start with the traditional way i.e scanning with the NMAP

NMAP

Nmap scan is done using the following command
$ nmap -sV -sC 10.129.150.6

Complete scan results are as followed:

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)

| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)

|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)

80/tcp open http Node.js (Express middleware)

|_http-title: Bike

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan showed 2 open ports.

22/TCP
80/TCP

As port 80 is for a website, so we will put this IP address into the address bar of FireFox browser.

As we browse this IP, a simple web page with an input email address text bar shows up.

More or less here we know that this email address input bar will be our play ground for this machine.

So we start putting random email and text to check if the input is sanitized or what kind or error pops up.

My first instinct was to check if it even checks for character like @.
On putting asdsd in email address bar, the input is reflected as it is.
Lets check common SQL Injection payloads too.

Upon i nserting <script>echo alert('1'); </script>
Same input was reflected back.

Lets find the technology behind this webpage.
Here comes Wappalyzer int the game.

Wappalyzer:

Wappalyzer is used as extension to inspect a webpage. Here we have it integrated in our FireFox browser.

It shows that this webpage is built on Express framework using Node.js language.

The article on Hacktricks gives insights on exploiting different frameworks.
Using this article, we will inject inputs like, {{7*7}}, ${7*7}, ${7/0}, {{7/0}}, and <%= 7/0 %>.

Observing the server's response to mathematical operations helps pinpoint the specific template engine.

${7*7} was returned as it is.
But upon inserting {{7*7}}, an error was thrown as shown below;

Error: Parse error on line 1:

--^

Expecting 'ID', 'STRING', 'NUMBER', 'BOOLEAN', 'UNDEFINED', 'NULL', 'DATA', got 'INVALID'

at Parser.parseError (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/parser.js:268:19)

at Parser.parse (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/parser.js:337:30)

at HandlebarsEnvironment.parse (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/base.js:46:43)

at compileInput (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js:515:19)

at ret (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js:524:18)

at router.post (/root/Backend/routes/handlers.js:14:16)

at Layer.handle [as handle_request] (/root/Backend/node_modules/express/lib/router/layer.js:95:5)

at next (/root/Backend/node_modules/express/lib/router/route.js:137:13)

at Route.dispatch (/root/Backend/node_modules/express/lib/router/route.js:112:3)

at Layer.handle [as handle_request] (/root/Backend/node_modules/express/lib/router/layer.js:95:5)

The template engine in this webpage is "handlebars" as found from the error message.

Now that we have found what template engine is running behind the scenes, we can find and use exploits, designed specifically for "handlebars template engine".

The article on Hacktricks lists exploits for various exploits including php, java, node.js, python, .net, ruby, asp and go.
we will look for Handlebars (NodeJS).
Here java code for an exploit with its url encoding is provided.
But first, we will start BuirpSuit for better checking with repeater.

BuirpSuit:

After or before starting Buirpsuit, we have to configure proxy with our Firefox.
Settings>proxy>mannual proxy> 127.0.0.1, 8080

After doing these configurations, and seeing that intercept is on in BuirpSuit, we have to refresh our browser, Bike tab.

As we will have to try multiple payloads in place of email, we will first send this header to Repeater with CRTL+r.

The repeater tab turned red.
Go to repeater and insert the url encoded input from Handlers.js in place of email as followed;

On pressing Send, we see the following output.

See the error changes with "require is not defined." Lets alter this input and remove this function "require" from the Java code.

Copy the code and put in Decoder tab of Buirpsuit.

change the above mentioned line to only "return process" as shown below.

Now encode this code as URL and copy.

We will paste it into our email variable and press send in Repeater tab.

Press send;

The error message completely disappeared with returning of some empty objects. If we alter our code with further global variables, we get into the intersting information.