Bike (Tier 1)
Last updated
Was this helpful?
Last updated
Was this helpful?
Tier -> 1
Difficult -> Very Easy
OS -> Linux
Tags -> Custom Applications / NodeJS / Reconnaissance / Remote Code Execution / Server Side Template Injection (SSTI)
With this, I answered the first question
Answer: 22,80
Then I did an exhaustive scan to learn more about the services running on the open ports
With this, I answered the next question
Answer: Node.js
As I found the HTTP service on port 80, I went to the browser to check the content being deployed. I found a simple website that let me introduce an email address and send this information. After filling out the form and hitting the Submit button, I obtained a response from the website including the information submitted
With this and a little research, I answered the next questions
Answer: Express
Answer: Server Side Template Injection
To test some vulnerabilities in the insertion point, I inserted some XSS payloads in the form but didn't get any results. So after that, I tried with some SSTI payloads and noticed that using an input of {{7*7}} I caused an error on the page, letting us know it could be vulnerable to this attack
With this and a little research, I answered the next question
Answer: Handlebars
I noticed the site was encoding the values in URL format, so to ensure the page would process the payload correctly, I did the same process in the Decoder tab. After that, I resent the petition and got a different error from the site
With this and a little research, I answered the next questions
Answer: Decoder
Answer: URL
Answer: require
Answer: global
With this, I answered the next question
Answer: root
That revealed I had gained RCE as the root user, so by abusing this method, I listed the files from the /root folder. There I found a flag.txt file, and once again, used the RCE to read the content of this file which gave me the flag
With this, I got the root flag and pwned the machine
Answer: 6b258d726d287462d60c103d0142a81c
I observed I didn't receive any response from the server, but checking the listener I had caught a shell as the root user
I started doing an initial scan using
To learn more about the HTTP protocol you can go
I reviewed the source code but didn't find anything interesting, so to learn more about the components of the website I used the extension
To learn more about Cross-Site Scripting (XSS) attacks you can go , and to learn more about Server-Side Template Injection (SSTI) attacks you can go
This gave me information about some folders and components being used by the server to deploy the web page, for example, that it was using the template engine. So I reviewed some vector attacks for this engine and with some , I found a payload to abuse it
After that, I intercept the petition sent to modify the content and send this payload. To do so, I used to intercept the petition and send it to to modify it. After catching it with the proxy I sent it to the Repeater tab to resend it
Searching about this error, I found out it was because the require function used in line 9 of our payload, couldn't be in the internal environment of the deployment so I had to find a way to modify it for my purposes. After a little , we found an alternative to the use of the require function via the process.mainModule property. So I adapted the payload to work with this and resent it
I noticed the server processed it without errors, but instead of executing the command was returning what seemed to be JavaScript objects. This could be because the exec function was not available within the environment context. After a lot of , I found other possible functions from the child_process module that could let us execute commands. Trying all possible options we found that by using the execSync function and resending the petition, I finally did it work
I tried to gain a reverse shell abusing the RCE and sending a proper payload. I started sending a listener on my machine and sent the petition with the payload
