[Hack The Box] [Starting Point] [Tier 1] Bike

TASK 1

What TCP ports does nmap identify as open? Answer with a list of ports seperated by commas with no spaces, from low to high. 22,80

TASK 2

What software is running the service listening on the http/web port identified in the first question? Node.js

TASK 3

What is the name of the Web Framework according to Wappalyzer? Express

TASK 4

What is the name of the vulnerability we test for by submitting {{7*7}}? Server Side Template Injection

TASK 5

What is the templating engine being used within Node.JS? Handlebars

根据SSTI (Server Side Template Injection) - HackTrick 按流程来判断,

输入 ${7*7},没有报错,接着尝试{{7*7}},成功报错:

TASK 6

What is the name of the BurpSuite tab used to encode text? Decoder

TASK 7

In order to send special characters in our payload in an HTTP request, we’ll encode the payload. What type of encoding do we use? URL

TASK 8

When we use a payload from HackTricks to try to run system commands, we get an error back. What is “not defined” in the response error? require

尝试{{7*‘7’}},也成功报错,可以判断存在SSTI注入的可能

接下来就是直接使用handlebar模板的注入代码:SSTI (Server Side Template Injection) - HackTricks

首先看能不能路径穿越,爆出error,失败了

那直接用提供的URLencoded:

TASK 9

What variable is the name of the top-level scope in Node.JS? global

TASK 10

By exploiting this vulnerability, we get command execution as the user that the webserver is running as. What is the name of that user? root

require 是JavaScript的关键词,但这里却显示没有定义,可能和node.js的关键词冲突了,查了下官方文档 ,可以看出,require不是global范围的

我们先查看下注入的代码:{{this.push "return **require**('child_process').exec('whoami');"}}

代码里要调用的是child_process,查看文档 可知,这个功能有用到process

我们来尝试看看能不能返回个process:

把上面那一行代码改为 {{this.push "return process;"}},可以通过URLencoded 工具,编码了重新发送,成功执行:

然后试了好几个process文档中的函数,貌似都没有可以执行特定命令的

不过注意到process.mainModule是快过期的一个函数,后续将会被require.main代替,可以试一试

使用{{this.push "return **process.mainModule**;"}}可以成功调用, 

直接注入:{{this.push "return **process.mainModule**('child_process').exec('whoami');"}},并没有成功爆出

通过文档可知,可以利用另一个{{this.push "return process.mainModule('child_process').**execSync**('whoami');"}},成功执行:

接下来就简单了,正常flag是在主目录下,找下就ok啦

Note:

Bike.pdf

Ref:

Server-side template injection | Web Security Academy (portswigger.net)

The following is a list of important (but not limited) template engines for Node.js