Binamra Pandey

Jul 29, 2021

3 min read

TryHackMe: Bolt walkthrough

Hello People, In this write up I have covered a walkthrough for the Tryhackme box called “Bolt”. So let’s get started.
Link:- https://tryhackme.com/room/bolt

1. Information Gathering

We start to gather the information about the target by scanning for its open ports, I used a tool called “Rustscan”.

rustscan -a $IP -b 1000 -r 0–65535 -t 5000 — -A

First, this scan for all the open ports then forward the result to “Nmap”

Open 10.10.75.160:22
Open 10.10.75.160:8000

Found 2 open ports, Port 22 and 800. We all know Port 22 is a common port which is for SSH but Port 8000 is not common. So I googled about port 8000 and found out this

Now we know Port 8000 is a web server.
Now Visit the website using the following Port number. http://$IP:8000

2. Scanning And Enumeration

The website looks like this.

Scroll down then you will find a couple of blog posts which are revealing Username and Password

You can see that these two posts are revealing Username and Password. Note down these credentials.

We know this using Bolt CMS and we have Login creds, now we need a login panel. So I google “Bolt CMS” and found their official documentation, where they were revealing the path to the login panel

Link to Docs:- https://docs.bolt.cm/4.0/manual/login#jumpbutton

Now, go to the login panel using this link.
http://$IP:8000/bolt/

After login, you are redirected to the dashboard of Bolt CMS.

At the bottom left corner, you can see the version number of this CMS.

Now search for this exploit. You will find Metasploit also has this exploit.
Link to Metasploit exploit:- https://www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce/

3. Exploitation

Now launch the Metasploit and type for “search bolt”

Use the latest exploit.

Now after you select the exploit, type “show options”

LHOST= tun0 IP address

RHOST= Web_server Ip address

USERNAME= admin username( which we already know from the post)

PASSWORD= admin password( which we already know from the post)

After configuring Metasploit, now type “exploit

Now you see, I am into the machine, now navigate around the machine and get “flag.txt”

I upgraded my shell_to_meterpreter.

Now get the content of “flag.txt”