TryHackMe: Bolt walkthrough
Hello People, In this write up I have covered a walkthrough for the Tryhackme box called “Bolt”. So let’s get started.
1. Information Gathering
We start to gather the information about the target by scanning for its open ports, I used a tool called “Rustscan”.
rustscan -a $IP -b 1000 -r 0–65535 -t 5000 — -A
First, this scan for all the open ports then forward the result to “Nmap”
Found 2 open ports, Port 22 and 800. We all know Port 22 is a common port which is for SSH but Port 8000 is not common. So I googled about port 8000 and found out this
Now we know Port 8000 is a web server.
Now Visit the website using the following Port number. http://$IP:8000
2. Scanning And Enumeration
The website looks like this.
Scroll down then you will find a couple of blog posts which are revealing Username and Password
You can see that these two posts are revealing Username and Password. Note down these credentials.
We know this using Bolt CMS and we have Login creds, now we need a login panel. So I google “Bolt CMS” and found their official documentation, where they were revealing the path to the login panel
Link to Docs:- https://docs.bolt.cm/4.0/manual/login#jumpbutton
Now, go to the login panel using this link.
After login, you are redirected to the dashboard of Bolt CMS.
At the bottom left corner, you can see the version number of this CMS.
Now search for this exploit. You will find Metasploit also has this exploit.
Link to Metasploit exploit:- https://www.rapid7.com/db/modules/exploit/unix/webapp/bolt_authenticated_rce/
Now launch the Metasploit and type for “search bolt”
Use the latest exploit.
Now after you select the exploit, type “show options”
LHOST= tun0 IP address
RHOST= Web_server Ip address
USERNAME= admin username( which we already know from the post)
PASSWORD= admin password( which we already know from the post)
After configuring Metasploit, now type “exploit”
Now you see, I am into the machine, now navigate around the machine and get “flag.txt”
I upgraded my shell_to_meterpreter.
Now get the content of “flag.txt”