TryHackMe: Bolt walkthrough by Mayur Parmar(th3cyb3rc0p)

4 years ago 212
BOOK THIS SPACE FOR AD
ARTICLE AD

Cyber Defecers

A hero is unleashed

Image for post

Image for post

the fairytale story of our Hero Bolt.

Room Link: https://tryhackme.com/room/bolt

Image for post

Image for post

Image for post

Image for post

I have done the port scanning & got 3 ports.

on 80 port apache is running. in the third port, the bolt CMS is running.

Image for post

Image for post

Bolt CMS

while checking the website I found something juicy information in the post done by admin.

Image for post

Image for post

Username

from this post, I got the username.

Image for post

Image for post

Password

from this post, I got the password.

now I’m looking for login pages where I use these credentials. but no luck.

then I searched on google about bolt cms default path for the login page and found in their installation documentation.

Ex. abc.com/bolt

Image for post

Image for post

Login panel path

I used credentials and quickly logged into admin panel. on the bottom side, I got the version.

Image for post

Image for post

Version

I searched “bolt cms 3.7.1” and found one exploit for it’s an older version.

from that, we can do RCE.

Image for post

Image for post

EDB ID

Now open Metasploit by typing “msfconsole” command in Kali Linux.

now type “search bolt” this command will list all the exploit and Auxillary related to bolt keyword.

Image for post

Image for post

from exploit-db we get that 3.7.0 version is vulnerable to RCE so we can select the second result.

command: use <exploit path>

Image for post

Image for post

now type show options. from this command, we can get idea that this exploit which type of parameters we have to set.

now set lhost= your IP address

use ifconfig command in Linux and type tun0 IP address.

rhost= remote host(web app IP address)

username= admin username( which we already know from the post)

password= admin password( which we already know from the post)

run=exploit

Image for post

Image for post

Metasploit

we can see from the below screenshot that our exploit is successfully executed.

Image for post

Image for post

we can use various Linux commands in the post-exploitation phase. ( depends on the remote machine).

in most of the CTF boxes, we can get the flag in /home directory.

References:

Author: Mayur Parmar(th3cyb3rc0p)

Follow me on Twitter & LinkedIn( mostly I will share tips on these social media platforms)

https://twitter.com/th3cyb3rc0p?lang=en

https://in.linkedin.com/in/th3cyb3rc0p

https://www.instagram.com/th3cyb3rc0p/?hl=en

https://twitter.com/cyberdefecers?lang=en

https://ctftime.org/team/112504

Read Entire Article