HackTheBox – Starting Point Phase – Tier 1/

HTB Labs — Tier 1 — “Bike” Machine Walkthrough | By: CyberAlp0

AUTHORCyberAlp0
PUBLISHEDJuly 4, 2026
READ TIME09 MIN
HTB Labs — Tier 1 — “Bike” Machine Walkthrough | By: CyberAlp0

ey Folks, this is CyberAlp0. Welcome back to a new walkthrough powered by HTB, Tier 1, named “Bike.” Bike is one of the VIP labs in HackTheBox—Tier 1—Starting Point Phase. It focuses on many aspects and strengthens skills like custom application, RCE, Server-Side Template Injection, and Reconnaissance. It focuses on teaching the concept of Server-Side Template Injection (SSTI) vulnerability in a Node.js application.

Executive Summary

Here is an executive summary of the steps we are going to follow:

The machine features a Node.js web application using the Handlebars templating engine that contains an SSTI vulnerability. SSTI occurs when user input is directly embedded into templates without proper sanitization, allowing attackers to execute arbitrary code on the server.

Stage I: Scanning

The Initial port scanning reveals a Node.js web application on port 80. Also, There are another port which is 22 and runs the following service SSH — OpenSSH 8.2p1 Ubuntu.

Upon the Nmap scan, we will find the following information

  • Service Running: node.js (express middleware)
  • Exposed Port: 80

Stage II: Enumeration

To test for SSTI, we will submit a template syntax like {{7*7}} in a web form. An Error messages reveal the application uses Handlebars templating engine.

Stage III: Exploitation

We will use Burp Suite to intercept the form submission, and try to encode the URL with specific payloads and execute system commands using template injection to gain a remote code execution (RCE) as the root user.

Let’s not waste more time on the introduction and begin hacking in detail!

Step 1: Connecting to the Starting Point Labs Servers.

To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.

Step 2: Spawning the Machine and Starting to Solve the Tasks.

Task 1: What TCP ports does Nmap identify as open? Answer with a list of ports separated by commas with no spaces, from low to high.

Answer: 22,80

Walkthrough:

To identify the open ports that are open in on the target machine, we can use the Nmap tool. By typing the following command, we can specify the open ports and the running services through these ports.

nmap -sV 10.129.88.205
Running Nmap on the target machine to identify the opened ports and the running services through these ports.
Running Nmap on the target machine to identify the opened ports and the running services through these ports.

According to the screenshot, we can identify that there are two ports are opened, which are 22 and 80. Port 22 is serving OpenSSH, and port 80 is running Node.js.

-sV option in nmap tool detects the services running on open ports. For example, if port 80 is open, Nmap may determine if it’s running Apache, Nginx, or another web server. Also, it also tries to determine the version of the service.

Task 2: What software is running the service listening on the HTTP/web port identified in the first question?

Answer: Node.js

Walkthrough:

According to the last screenshot, we can see that port 80 is serving a software called Node.js. which is one of a web server.

Task 3: What is the name of the Web Framework according to Wappalyzer?

Answer: express

Walkthrough:

Before we answer this task, we need to know more about the Wappalyzer tool. Wappalyzer is a valuable tool for anyone interested in understanding the technological landscape of the web. We can install its extension on Firefox through the following link.

To be able to analyze the web service “Bike” we need to add the bike HTB machine in our local DNS server, which is located under /etc/hosts.

Adding the target machine in the local DNS to navigate the web service and analyze it.
Adding the target machine in the local DNS to navigate the web service and analyze it.

Now, we can access the web service on the web freely by typing http://bike.htb. It will automatically redirect to the target’s IP address. After installing the Wappalyzer, we can determine the web frameworks the target is using.

Determining the web framework that is being used by target usign wappalyzer.
Determining the web framework that is being used by target usign wappalyzer.

Task 4: What is the name of the vulnerability we test for by submitting {{7*7}}?

Answer: Server Side Template Injection (SSTI)

Walkthrough:

The vulnerability tested by submitting {{7*7}} is known as Server-Side Template Injection (SSTI). This type of vulnerability occurs when user input is embedded in server-side templates without proper sanitization or validation.

Many web frameworks use template engines that allow for dynamic content generation. If these templates evaluate user input, an attacker can execute arbitrary code or manipulate the template rendering. Successful exploitation can lead to data leakage, remote code execution, or unauthorized access to sensitive information.
Testing for SSTI typically involves submitting payloads that exploit the template engine’s behavior, such as mathematical expressions or control structures.

Task 5: What is the templating engine being used within Node.js?

Answer: handlebars

Walkthrough:

We need to understand, firstly, what is meant by templating. Templating engines are tools used in web development to generate dynamic HTML pages by combining templates with data.

When navigating to our HTB machine through the browser by typing HTTP://bike.htb, we will notice the following web page

The web application is being developed and not finished yet.
The web application is being developed and not finished yet.

It tells you that the web app is currently under development and asks you to enter your email to inform you once it is finished, “Just like the marketing newsletters from social media platforms”.

Mindmap Walkthrough

First: Let’s enter any temp email address and see the result

The servers responds that he will email me back once the app is finished.
The servers responds that he will email me back once the app is finished.

The server responds with the input you have entered in the email field. This could lead to a Reflected XSS vulnerability in the web application

Reflected XSS occurs when a web server includes unvalidated user input in the response (often in the form of URL parameters) without proper sanitization or encoding. This means that the malicious script is “reflected” off the web server, and immediately executed in the user’s browser when they click on a specially crafted link.

To test this vulnerability, we may inject a simple payload <script>alert(1)</script>. By typing it in the email field, we will notice that we did not get the response we expected (which is showing us an alert window). This means that the vulnerability is not valid.

Second: Server Side Template Injection (SSTI)

Let’s try submitting the input {{7*7}} in the email field and see the response. An error page appeared as shown in the screenshot

The web application is infected by SSTI vulenrability.
The web application is infected by SSTI vulenrability.

Whenever an SSTI vulnerability exists in a web application, this means that the server detects expressions and executes them. However, when we typed the expression 7*7, the server did not respond with the outcome of the mathematical equation, instead, it responded with an error. This indicated that the web application was infected by SSTI.

The error indicates that the templating engine that is being used is called handlebars.
The error indicates that the templating engine that is being used is called handlebars.
For more information about the vulnerability, you may see the following link.

Task 6: What is the name of the BurpSuite tab used to encode text?

Answer: decoder

Walkthrough:

The Decoder tab in Burp Suite serves several important purposes. Most important of which is data encoding and decoding

Task 7: To send special characters in our payload in an HTTP request, we’ll encode the payload. What type of encoding do we use?

Answer: URL

Walkthrough:

To send special characters in a payload within an HTTP request, you typically use URL encoding (also known as percent encoding).

URL encoding converts characters into a format that can be transmitted over the Internet. It ensures that special characters do not interfere with the request syntax.
In URL encoding, special characters are replaced with a % followed by two hexadecimal digits that represent the ASCII value of the character. For example:
- Space () becomes %20
- Exclamation mark (!) becomes %21

To perform such an encoding process, we will turn on the burpsuite to intercept the traffic. By using the decoder tab in Burpsuite, we will manage to encode the email input field with the SSTI payload.

Since the web application is based on Node.js in its web technology, we will be using a specific payload to be inserted in the email field of the web application.

The payload is mentioned clearly in the Hacktricks payloads through the following link.
The Node.js Based payload for exploiting the SSTI vulnerability in the Bike web application.
The Node.js Based payload for exploiting the SSTI vulnerability in the Bike web application.

By copying this payload and encoding it using the decoder in burpsuite, then inserting it in the email field, we shall face the following response from the burpsuite.

Encoding the payload from hacktricks as URL in the decoder in burpsuite.
Encoding the payload from hacktricks as URL in the decoder in burpsuite.
Inserting the encoded payload in the email field in the request.
Inserting the encoded payload in the email field in the request.

Task 8: When we use a payload from HackTricks to try to run system commands, we get an error back. What is “not defined” in the response error?

Answer: Require.

Walkthrough:

Now, we have inserted the payload after encoding it as a URL in the email field of the request. We will send the request to the repeater first before sending it.

You can move the request to the repeater by clicking right click in the request and send it to the repeater.

Then, move to the repeater tab and monitor the response after sending it as follows in the screenshot.

The server response to the payload we have inserted. It mentiones that require is not defined.
The server response to the payload we have inserted. It mentiones that require is not defined.
Showing an error repsonse in the browser.
Showing an error repsonse in the browser.

An error appeared in the browser stating that there is a “ReferenceError: require is not defined”

Task 9: What variable is traditionally the name of the top-level scope in the browser context, but not in Node.js?

Answer: Global

Walkthrough:

In Node.js, the top-level scope is not a “window”. Instead, the global object is “global”. However, Node.js modules create their scope, so variables declared with var, let, or const at the top level of a module are not added to the global object.

Task 10: The Root Flag

Answer: 6b258d726d287462d60c103d0142a81c

Walkthrough:

Based on the previous response of the server, which indicated that there is a “ReferenceError: Require is not available”, and by a quick search, we may use the payload mentioned in the following link to bypass this error.

Copy & paste this payload in the decoder in burpsuite and encode it as a URL, then replace the previous payload in the email field, then send the request to the repeater. Once you send the request to the server, you will receive the following response.

Replacing the new encoded payload in the email field and montitoring the response of the server.
Replacing the new encoded payload in the email field and montitoring the response of the server.

It shows clearly that we had root access. We can view the response in the browser.

The server has executed the “whoami” command and responded with the root user.
The server has executed the “whoami” command and responded with the root user.

Now, we need to view the root flag. However, we don't know where the flag.txt is. Thus, we will only replace a single command “whoami” in the payload we copied from this link, with the following command “ls /root”.

This command will list what is in the root directory. To check whether the flag.txt is there or not?.
There is a file called flag.txt.
There is a file called flag.txt.

As per the screenshot, we will find what we are looking for. Thus, we need to replace the command with “cat /root/flag.txt” to make the server respond to us with the content of the text file.

Don’t forget to re-encode the payload after replacing the command.
The server has responded with the content of the flag.txt file that is located in the /root/flag.txt.
The server has responded with the content of the flag.txt file that is located in the /root/flag.txt.
The response of the server on the browser.
The response of the server on the browser.

Hope you enjoyed reading my blog about solving Bike machine from HTB — Tier 1 — Starting Point Phase.

See You in another write-up!

[ #Bike ][ #Web Application Penetration Testing ][ #bug bounty ][ #cyberalp0 ][ #cyberskii ][ #Kali Linux ][ #OSCP Preperations ][ #Penetration Testing ][ #Web Application Security ][ #server side template injection ]