A first nmap scan shows ssh and a NodeJS based webserver:
sudo nmap -sV -sC <IP>
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http Node.js (Express middleware)
|_http-title: Bike
<SNIP>
The website accepts user input and testing around with injections I found an interesting error:
Error: Parse error on line 1:
{{7*7}}
--^
Expecting 'ID', 'STRING', 'NUMBER', 'BOOLEAN', 'UNDEFINED', 'NULL', 'DATA', got 'INVALID'
at Parser.parseError (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/parser.js:268:19)
at Parser.parse (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/parser.js:337:30)
at HandlebarsEnvironment.parse (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/base.js:46:43)
at compileInput (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js:515:19)
at ret (/root/Backend/node_modules/handlebars/dist/cjs/handlebars/compiler/compiler.js:524:18)
at router.post (/root/Backend/routes/handlers.js:14:16)
at Layer.handle [as handle_request] (/root/Backend/node_modules/express/lib/router/layer.js:95:5)
at next (/root/Backend/node_modules/express/lib/router/route.js:137:13)
at Route.dispatch (/root/Backend/node_modules/express/lib/router/route.js:112:3)
at Layer.handle [as handle_request] (/root/Backend/node_modules/express/lib/router/layer.js:95:5)
SSTI RCE
Googling for 'Handlebars SSTI', I quickly found a working payload for RCE that worked.
The rest of my notes are missing for this one as I did it when I just started with HTB.