Home HTB Starting Point - Tier 1 - Bike
Post
Cancel

HTB Starting Point - Tier 1 - Bike

Introduction

This is the 5th target in the Tier 1 lineup, and the 2nd of 3 VIP machines. Ths machine introduces SSTI and the use of a proxy to conduct the attack. This one was pretty difficult for me as I hadn’t done SSTI before. You’ll get comfortable with Burp's Decoder and Repeater tabs, that’s for sure.

tl;dr

Spoiler! 1. Scan results indicate there is a webserver running Node.js. We identify which framework is running using `SSTI`; the framework is `Handlebars`.
2. Capture the POST request via `Burpsuite` and load the request into Repeater.
3. Use exploits from sources like [Hacktricks](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection). Encode the payloads in Decoder as "URL" and troubleshoot the responses until there is a reponse.
4. Use the global var `process` to get `mainModule`, check `whoami` to verify `root`.
5. `ls` to verify the flag is available, then `cat` it out.
sHAre tHe ROaD bR0

Establishing a Connection and Initial Scan

Spawn the bastard and get vpn going.

I’ve confirmed the target is reachable with a ping.

Start the default nmap scan and let it run while we complete the tasklist.

The Tasklist

Task 1

What TCP ports does nmap identify as open? Answer with a list of ports seperated by commas with no spaces, from low to high.

NMAP shows ports 22,80 as open.

Task 2

What software is running the service listening on the http/web port identified in the first question?

node.js

Task 3

What is the name of the Web Framework according to Wappalyzer?

express

Task 4

What is the name of the vulnerability we test for by submitting`?

Server Side Template Injection aka SSTI. This is similar to SQLi in that the input field presented to end-users is not sanitized properly, and therefore allows for code to be passed and interpreted to the backend. However, SSTI injects commands to the webserver framework rather than a DB in the instance of SQLi.

Task 5

What is the templating engine being used within Node.JS?

We can identify the template using some unique strings that will return status/error codes that validate if there is a targeted template in use. We’ll be entering these into the email field on the webserver’s landing page:

I referenced Hacktricks for their SSTI testing methodology here: Hacktricks SSTI

There are several expressions to try:

``
${7*7}
<%= 7*7 %>
$
#{7*7}

After testing a few, the “``” expression returns some results:

The template in use is Handlebars. Hacktricks has a section for attacking the template further down the page: Handlebars Template Injection Payload on HackTricks

Task 6

What is the name of the BurpSuite tab used to encode text?

The payload for Handlebars looks like in needs to be passed via POST from the webform submission.

>

I set up FoxyProxy to redirect the request to Burpsuite to capture.

With that setup, I then launched Burpsuite. If you are not familiar with setting up the proxy, check the following:

  1. Proxy tab - this section will contain the relevant details to configure/
  2. Options subtab - check here to see if you have an interface defined.
  3. If not, set to 127.0.0.1 (localhost) and set the port to match what was set in FoxyProxy.
  4. Modify the intercept rules as needed, but I’ve left these as default

With that done, the answer to this task is Decoder.

Task 7

In order to send special characters in our payload in an HTTP request, we’ll encode the payload. What type of encoding do we use?

  1. This is the Decoder tab
  2. The payload will be entered here.
  3. Despite the name, we will be encoding the payload rather than decoding. This dropdown has many options. Remember that POST variables are sent via URL, so we need to encode in the URL type.
  4. Once URL has been selection, we see the transformed string below to copy into the Repeatertab.

Task 8

When we use a payload from HackTricks to try to run system commands, we get an error back. What is “not defined” in the response error?

The next step of the attack is to load the Repeater.

We need to copy and paste the encoded payload from the Decoder tab to the Repeater, specifically the POST variable ‘email’.

  1. We hit send to forward the payload to the target
  2. Th target responds. We see there is an errror. Looks like require is not defined.
Our first error on this box. The first of *many*.

Task 9

What variable is the name of the top-level scope in Node.JS?

I had to look the error up. Essentially, the require function is out-of-scope of the application we are attacking. We need to find a function that it can access. These are called global variables.

Task 10

By exploiting this vulnerability, we get command execution as the user that the webserver is running as. What is the name of that user?

The first global var we try is process. We enter the above back to the decoder…

…and receive the following response when sent via the Repeater. The process var was in-scope!

We try again, this time getting the mainModule object.

The object is returned successfully.

Time to check who we are running as.

root

scandalous

Capturing the Flag

Time to get the flag.

We push an ls to see what files are in the /root directory.

The flag is in the current working directory. Neat.

Cat it out…

And we got it.

All of my attempts at this task.

Lessons Learned

  • SSTI attacks for webforms can be viable. Walk the identification expressions to see if the template can be identified, and then exploited
  • Burpsuite is pretty handy for these things. I know, understatement of the century
  • Errors returned from exploits are just as helpful as getting data at times. Adjust the payload based off of research of the error.
  • I really, really don’t like those bicyclists that run stop signs, yet want to be treated like vehicles. And you look like dorks in those bike suits!
A group of cyclists is reffered to as an aneurism.
This post is licensed under CC BY 4.0 by the author.