TryHackMe : Bolt

Today I am going to solve the Bolt Ctf which is an Easy category CTF of Tryhackme.

So like always start with enumeration using Nmap and here is the result of Nmap scan

As port 22 is open I started brute force for access using Hydra (though that didn't work).

As Port 80 is open so started dirb scan, got nothing. Visited the website but got nothing on the page source code.

So, went on to visit port 8000 which has some info:

What port number has a web server with a CMS running?

8000


What is the Username we can find in the CMS?

bolt

What is the Password we can find for the Username?

boltadmin123

On this webpage, I got a username and password but did not know where to put them. Got help from Google and found:

As directed let's visit 10.10.63.227/bolt and see what can we get.

Let's put found creds i.e., Username: bolt and password: boltadmin123

and we are in:

What version of the CMS is installed on the server?

Bolt 3.7.1


With the help of Google, let's find out if is there any exploit of Bolt 3.7.1 but got this:

and that's what told in the question section

There's an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What's its EDB-ID?

48296


Metasploit recently added an exploit module for this vulnerability. What's the full path for this exploit?

exploit/unix/webapp/bolt_authenticated_rce


Now let's use this exploit to gain access:

Now set the necessary things to run this exploit:

this gives us access of this machine. Now locate our flag to complete this CTF, before that let's first get a bash session that can be more interactive. For that:

/bin/bash -i

and we got our flag.txt file which cats out:

THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}