This is Maruf, back again to break another machine.
Today we will solve “BOLT” from TryHackMe.
This is a pretty straightforward machine. We need to just get into the machine and grab a flag.
So, let’s try to figure it out.
At first we need to connect our TryHackMe VPN, connect our machine to their server and to deploy our target machine.
Here I deployed my machine and in my case the machine IP is 10.10.220.66.
So, I’m gonna run a NMAP scan at first.
nmap -sC -sV <Target_IP>
Here is our NMAP Scan result.
The scan report shows that there are four open port as follows:
- 22 for SSH Service
- 80 for HTTP Service
- 6106 for ISDNInfo
- 8000 for another HTTP Service
So, let’s check what we can find in port 80 & 8000.
Here port 80 shows us a default page of Apache2 server.
And in port 8000, we get a website named as “Bolt”.
After scrolling this web page a little bit, we get these posts:
These posts show us that, someone named “Jake” is the admin of this website.
And he left his Username & Password in the posts.
Username: bolt Password: boltadmin123
As we have username and password, let’s try to figure out the login panel.
Though a directory brute-forcing is an easier option to find different directories on a website, I’m gonna try manually at first. If we can’t figure it out by manually, then we will go for brute-forcing.
So,let’s try with “/login” first.
Nope, there is no directory as “login”. Let’s try with “/admin”.
Ummhuh! There is nothing as “admin”.
What can be the login path? 🤔
What about giving a try with”/bolt” as the username is “bolt” and the website is named “Bolt” as well?
We guessed it right!
When I tried to go to “10.10.220.66:8000/bolt/” it automatically took me to “10.10.220.66:8000/bolt/login”. And we get this login panel.
So, let’s try to login with the credentials that we got from the posts of the website.
The credentials were valid and now we are in the dashboard of the website. So,let’s explore the website a little bit.
The website is built with BOLT CMS. And the website is running BOLT CMS version 3.7.1
In the left panel, we get a tab for Extensions. Let’s check if we can upload something there.
Nope, there is no way to upload anything in the extension tab.
Let’s check the “File Management” tab.
Here in the right side, we get a file-uploader. Let’s check if we can upload any shell or not.
Nope, we are not permitted to upload any shell. The only allowed extensions are:
As we can see, we can upload HTML file.
So, let’s try to upload our shell by renaming it with “.html” extension and then rename it back to “.php” file after uploading to the website.
Okay, we’ve successfully uploaded our renamed shell. Let’s try to change the extension of that file and make it “.php”
Nope. We are not allowed to rename our files with “.php” extension. 😖
Now, we have to find other way. But we don’t have any clue.
Let’s check if the CMS have any vulnerability or not.
So, I’m gonna use “Searchsploit” in that case.
The command I’m gonna use for this is:
searchsploit bolt cms
Here is the result.
We can see that there is an Authenticated Remote Code Execution in the BOLT CMS of version 3.7.0.
Though our target is running the version 3.7.1, I’m gonna give this RCE a try.
So, let’s fire up our “Metasplotable”
To run Metasploit, we need to type “msfconsole” in our terminal and then hit enter.
And now we need to choose the first module here.
After selecting the first module, I’ve set the required credentials as follows:
- LHOST: <My Virtual IP>
- LPORT: 10000
- RHOST: <Target Machine IP>
- RPORT: 8000
- Username: bolt
- Password: boltadmin123
Then we ran our exploit and got a shell in our target machine.
Let’s check as what user we are logged in the machine.
We are “root”!
Okay, let’s look around different directories.
That was easy.
I was just roaming around the directories and got our flag in the “/home” directory.
Here is our flag:
The machine was very easy.
Hope you enjoyed.
I’ve tried to explain as simple as possible as we want newbies to learn with us.
But if you still have any confusions,
Please let us know in the comment section below. We’ll try to help you out with our best.
Goodbye for now.
See you in any other write-up soon.