HTB Labs — Tier 1 — “Bike” Machine Walkthrough | By CyberAlp0

Mohamed Maher
8 min readFeb 24, 2025

--

Solving Bike Machine from HackTheBox — Starting Point — Tier 1 | By: CyberAlp0
Solving Bike Machine from HackTheBox — Starting Point — Tier 1 | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 1, named “Bike”. Bike is one of the VIP labs in HackTheBox — Tier 1 — Starting Point Phase. It focuses on many aspects and strengthens many skills like custom application, RCE, Server Side Template Injection, and Reconnaissance.

And most importantly, is to gain more information about the node.js web technology which is used a lot in building web applications.

let’s not waste more time in the introduction and begin hacking!

Step 1: Connecting to the Starting Point Labs Servers.

To attack the target machine, you must be on the same network. You can read my Blog which will guide you step-by-step into connecting to the target machine.

Step 2: Spawning the Machine and Start Solving the Tasks.

Task 1: What TCP ports does Nmap identify as open? Answer with a list of ports separated by commas with no spaces, from low to high.

Answer: 22,80

Walkthrough:

To identify the open ports that are opened in the target machine, we can use the Nmap tool. By typing the following command, we can specify the opened ports and the running services through these ports.

nmap -sV 10.129.88.205
Running Nmap on the target machine to identify the opened ports and the running services through these ports.
Running Nmap on the target machine to identify the opened ports and the running services through these ports.

According to the screenshot, we can identify that there are two ports are opened which are 22, and 80. Port 22 is serving OpenSSH and port 80 is running node.js.

-sV option in nmap tool detects the services running on open ports. For example, if port 80 is open, Nmap may determine if it’s running Apache, Nginx, or another web server. Also, it also tries to determine the version of the service.

Task 2: What software is running the service listening on the HTTP/web port identified in the first question?

Answer: node.js

Walkthrough:

According to the last screenshot, we can see that port 80 is serving a software called node.s which is one of the web servers examples.

Task 3: What is the name of the Web Framework according to Wappalyzer?

Answer: express

Walkthrough:

Before we answer this task, we need to know more about the Wappalyzer tool. Wappalyzer is a valuable tool for anyone interested in understanding the technological landscape of the web. We can install its extension on Firefox through the following link.

To be able to analyze the web service “Bike” we need to add the bike HTB machine in our local DNS server which is located under the /etc/hosts.

Adding the target machine in the local DNS to navigate the web service and analyze it.
Adding the target machine in the local DNS to navigate the web service and analyze it.

Now, we can type the web service on the web freely by typing http://bike.htb. It will automatically redirect to the target’s IP address. After installing the wappalyzer, we can determine the web frameworks the target is using.

Determining the web framework that is being used by target usign wappalyzer.
Determining the web framework that is being used by target usign wappalyzer.

Task 4: What is the name of the vulnerability we test for by submitting {{7*7}}?

Answer: Server Side Template Injection (SSTI)

Walkthrough:

The vulnerability tested by submitting {{7*7}} is known as Server-Side Template Injection (SSTI). This type of vulnerability occurs when user input is embedded in server-side templates without proper sanitization or validation.

Side Note: Many web frameworks use template engines that allow for dynamic content generation. If these templates evaluate user input, an attacker can execute arbitrary code or manipulate the template rendering. Successful exploitation can lead to data leakage, remote code execution, or unauthorized access to sensitive information.

Testing for SSTI typically involves submitting payloads that exploit the template engine’s behavior, such as mathematical expressions or control structures.

Task 5: What is the templating engine being used within Node.JS?

Answer: handlebars

Walkthrough:

We need to understand firstly what is meant by templating. Templating engines are tools used in web development to generate dynamic HTML pages by combining templates with data.

When navigating into our HTB machine through the browser by typing HTTP://bike.htb, we will notice the following web page

The web application is being developed and not finished yet.

It tells you that the web app is currently under development and asks you to enter your email to inform you once it is finished “Just like the marketing newsletters from social media platforms”.

Mindmap Walkthrough

First: Let’s enter any temp email address and see the result

The servers responds that he will email me back once the app is finished.

The server responds with the input you have entered in the email field. This could lead to a Reflected XSS vulnerability in the web application

Reflected XSS occurs when a web server includes unvalidated user input in the response (often in the form of URL parameters) without proper sanitization or encoding. This means that the malicious script is “reflected” off the web server, and immediately executed in the user’s browser when they click on a specially crafted link.

To test this vulnerability we may inject a simple payload <script>alert(1)</script>. By typing it in the email field we will notice that we did not get the response we expected (which is showing us an alert window). This means that the vulnerability is not valid.

Second: Server Side Template Injection (SSTI)

let’s try submitting the input {{7*7}} in the email field and see the response, an error page appeared as shown in the screenshot

The web application is infected by SSTI vulenrability.

Whenever an SSTI vulnerability exists in a web application, this means that the server detects expressions and executes them. However, when we typed the expression 7*7, the server did not respond with the outcome of the mathematical equation, instead, it responded with an error. This indicated that the web application was infected by SSTI.

The error indicates that the templating engine that is being used is called handlebars.

For more information about the vulnerability, you may see the following link.

Task 6: What is the name of the BurpSuite tab used to encode text?

Answer: decoder

Walkthrough:

The Decoder tab in Burp Suite serves several important purposes. Most important of which is data encoding and decoding

Task 7: In order to send special characters in our payload in an HTTP request, we’ll encode the payload. What type of encoding do we use?

Answer: URL

Walkthrough:

To send special characters in a payload within an HTTP request, you typically use URL encoding (also known as percent-encoding).

URL encoding converts characters into a format that can be transmitted over the Internet. It ensures that special characters do not interfere with the request syntax.

In URL encoding, special characters are replaced with a % followed by two hexadecimal digits that represent the ASCII value of the character. For example:

- Space () becomes %20

- Exclamation mark (!) becomes %21

To perform such an encoding process, we will turn on the burpsuite to intercept the traffic. By using the decoder tab in Burpsuite, we will manage to encode the email input filed with the SSTI payload.

Since the web application is based on node.js in its web technology, we will be using a specific payload to be inserted in the email field of the web application.

The payload is mentioned clearly in the Hacktricks payloads through the following link.

Solving Bike Machine from HackTheBox — Starting Point — Tier 1 | By: CyberAlp0
The Node.js Based payload for exploiting the SSTI vulnerability in the Bike web application.

By copying this payload and encoding it using the decoder in burpsuite, then inserting it in the email field, we shall face the following response from the burpsuite.

Solving Bike Machine from HackTheBox — Starting Point — Tier 1 | By: CyberAlp0
Encoding the payload from hacktricks as URL in the decoder in burpsuite.
Solving Bike Machine from HackTheBox — Starting Point — Tier 1 | By: CyberAlp0
Inserting the encoded payload in the email field in the request.

Task 8: When we use a payload from HackTricks to try to run system commands, we get an error back. What is “not defined” in the response error?

Answer: Require.

Walkthrough:

Now, we have inserted the payload after encoding it as a URL in the email field of the request. We will send the request to the repeater first before sending it.

You can move the request to the repeater by clicking right click in the request and send it to the repeater.

Then, move to the repeater tab and monitor the response after sending it as follows in the screenshot.

The server response to the payload we have inserted. It mentiones that require is not defined.
Solving Bike Machine from HackTheBox — Starting Point — Tier 1 | By: CyberAlp0
Showing an error repsonse in the browser.

An error appeared in the browser stating that there is a “ReferenceError: require is not defined”

Task 9: What variable is traditionally the name of the top-level scope in the browser context, but not in Node.JS?

Answer: Global

Walkthrough:

In Node.js, the top-level scope is not “window”. Instead, the global object is “global”. However, Node.js modules create their scope, so variables declared with var, let, or const at the top level of a module are not added to the global object.

Task 10: The Root Flag

Answer: 6b258d726d287462d60c103d0142a81c

Walkthrough:

Based on the previous response of the server, which indicated that there is a “ReferenceError: Require is not available”, and by a quick search, we may use the payload mentioned in the following link to bypass this error.

Copy & paste this payload in the decoder in burpsuite and encode it as a URL, then replace the previous payload in the email field, then send the request to the repeater. Once you send the request to the server, you will receive the following response.

Replacing the new encoded payload in the email field and montitoring the response of the server.

It shows clearly that we had root access. We can view the response in the browser.

The server has executed the “whoami” command and responded with the root user.

Now, we need to view the root flag. However, we don't know where the flag.txt is. Thus, we will only replace a single command “whoami” in the payload we copied from this link, with the following command “ls /root”.

This command will list what is in the root directory. To check whether the flag.txt is there or not?.

There is a file called flag.txt.

As per the screenshot, we will find what we are looking for. Thus, we need to replace the command with “cat /root/flag.txt” to make the server respond to us with the content of the text file.

Don’t forget to re-encode the payload after replacing the command.

The server has responded with the content of the flag.txt file that is located in the /root/flag.txt.
The response of the server on the browser.

Hope you enjoyed reading my blog about solving Bike machine from HTB — Tier 1 — Starting Point Phase.

See You in another write-up!

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Mohamed Maher
Mohamed Maher

No responses yet

Write a response