Bolt-TryHackMe WriteUp

A hero is unleashed

Bolt Room: TryHackMe

Hi, My Name is Astik Rawat and I am a Cyber Security Enthusiastic. I’m writing this walkthrough while personally going through this room. I will try my best to give quality and descriptive steps as it’s my first writeup. You guys can add me on TryHackMe and maybe we could collaborate on future rooms. I hope you enjoy this Write-up for Bolt Room in TryHackMe. :)

Task 1 Deploy the machine

This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution. You should wait for at least 3–4 minutes for the machine to start properly.

#Start the Machine-No Answers Needed

Task 2 Hack your way into the machine!

A hero is unleashed-Once you have successfully deployed the VM, enumerate it before finding the flag in the machine.

What port number has a web server with a CMS running?

We need to run Nmap on the deployed IP to check the Ports and look for their Versions as well. I prefer doing ‘nmap -sV -sS -A [Deployed Machine IP]

This helps us to check default 1000 Ports and gives you the status of those ports, sV Flag gives us the Service Version of the open ports, sS Flag tells us about the TCP SYN (Stealth) Scan, and finally, the A Flag enables the OS detection, version detection, script scanning, and traceroute.

We also have a Flag that is used a lot ‘-oN [Output_Filename]’, it helps to get the Output in a file so we can use it to check it later. An alternative could be using ‘< nmap_report.txt’ which will output the results in nmap_nmap.txt.

Nmap

We can see there are few ports open, and we found two-port running HTTP Web server.

What is the username we can find in the CMS?

Now we will open the Deployed Machine with the specific port. It will look something like this.

Home web page

Now, If we scroll down at the bottom we can see Latest Entries and the Last Entry there has a message where we can find what is the .

What is the password we can find for the username?

Now we need to go above the Entry where we found the username. That Entry will contain the password.

What version of the CMS is installed on the server? (Ex: Name 1.1.1)

I was looking at each page and try to find any details but I couldn’t find anything for this CMS Version. But I found It was a Bolt CMS Server. As we had the username and the password, I looked for the Login page for Bolt CMS on Google and Found out ‘/Bolt’ is the login page. So I went to this webpage on the machine and logged in with the credentials.

Login Page

Now, I have successfully logged on to the CMS Server. And being on the Server as Admin(this user is Admin) I am having so many thoughts on actually getting a Remote Command Execution so easily. :P

Leave it for now, On the bottom left we can find the CMS Server name with its version.

Logged in CMS

There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What’s its EDB-ID?

Now we will go to Exploit-DB and search for the CMS Server and find a lower version than the Deployed machine.

Metasploit recently added an exploit module for this vulnerability. What’s the full path for this exploit? (Ex: exploit/….)

Note: If you can’t find the exploit module its most likely because your metasploit isn’t updated. Run `apt update` then `apt install metasploit-framework`

Now we need to run Metasploit by: msfconsole. When the framework is open we need to search for the CMS by: search bolt.

MSFCONSLE: EXPLOIT

I found 2 exploits available for this CMS and one of them is the one from Exploit-DB and which allows us to Authenticate RCE. Now we need to use this exploit by typing: use exploit/…./……/………………rce

Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit

As we are done selecting this exploit we need to see what options it has. We can do it by typing in: show options. Now we need to set the lhost, lport, rhost, username, and password. It could be done by typing in: set lhost [Local IP]. The format to set these options is gonna be the same i.e. ‘set [Option name] [value]’.

MSFCONSLE: OPTIONS

Note: Don't forget to set LHOST as VPN Local IP as we can get RCE only on that IP.

After each option is set we can again use show options to check if everything is inputted right. If everything looks right, we can run the exploit by typing: run or exploit.

Look for flag.txt inside the machine.

As we are done with RCE now we need to find the file flag.txt. I have done a lot of CTFs and I have noticed most of the flag.txt are hidden in /home or /root directory. So first I check if it’s in the root directory but it wasn't present so I looked at the home directory and here it was.

MSFCONSLE: RUNNING

My work is done here if you enjoyed reading this, please give it a clap and follow me on the medium. If you face any issues with this solution, feel free to reach out to me. Hope you’ve enjoyed my work. If you really liked this article, then follow me on the medium and connect with me on LinkedIn. Till then, farewell and Happy Hacking.

Security Consultant | OSCP | eJPT | CEH Master | Network+