Hack the Box Bike Machine

I cannot get the final three node.js codes to give the appropriate output. It won’t accept “root”, but rather gives syntax errors.

Once I change the return process line to "{{this.push “return process.mainModule.require(‘child_process’).execSync(‘whoami’);”}}, it gives me output but does not indicate “root” in the return.

Then all other node.js codes that follow only provide me syntax errors. I’ve tried copying, typing, running this on the HTB desktop, running the lab on a VPN through ParrotSec, and I get stuck at this point every time.

I am also having the same issue-- all is fine until I get to payload that includes the same line.
“{{this.push “return
process.mainModule.require(‘child_process’).execSync(‘whoami’);”}}”

The last line does not indicate root, but instead the returned values end with [object Object].

I took a closer look at the guide and realized there is a return carriage in the documentation right at '.execSync(‘cat’.

As a result the URL encoding is incorrect.

This works if you copy the payload into the Decoder and combine this and the next line. It should be a single line that reads like this: {{this.push "return process.mainModule.require('child_process').execSync('cat /root/flag.txt');"}}

2 Likes

thanks @ddm86 . had the same issue and could not figure out. this helped