Ssti

Box info | OS: Ubuntu Linux 5.0–5.14 (Node.js Express) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: SSTI detection, Handlebars template injection, Node.js RCE, process.mainModule bypass Pwned: 2026-04-28 TL;DR Bike is a Tier 1 box demonstrating Server-Side Template Injection (SSTI) in a Node.js Express application using Handlebars as the template engine. The app has a single form that accepts an email address and reflects it back. Sending {{7*7}} produces a Handlebars parse error with a full stack trace — immediately revealing the vulnerable file (handlers.js:15) and the template engine name. From here, a multi-step Handlebars sandbox escape via string.sub.constructor → Function → global.process.mainModule.require('child_process').execSync() achieves RCE as root. The flag is at /root/flag.txt. From error message to root shell in under 5 minutes. ...