[Bolt] – TryHackMe

This one is rated easy and it shows it’s colors this way. It’s a super typical CTF for beginners and takes no time at all for anyone with any kind of knowledge. A foothold is given to you, you’re not required to be even slightly creative to turn that foothold into shell access and the server is misconfigured giving you root, right away.

You absolutely should not need my help for this, if you do. Either you’re drunk, drawing a blank or you really need to go back and work some of the learning rooms available at TryHackMe

We start off with nmap, hunting for web ports. We know from the room name that it’s going to involve the popular Bolt CMS. So, we expect to find web ports and to probably have to enumerate directories.

Copy to Clipboard

Right away, we have options. But, we decide to play by the rules and stay in our lane. We note that port 80 and 8000 are open. One serving Apache 2.4.29 and the other seeming to run self-hosted off of PHP 7.2.32-1. Without a list of potential users, we ignore SSH.. though, there’s plenty of fun that could be have there.

I choose lulzbuster and set after both ports, hoping that I don’t bog down the VM.. it doesn’t find anything unusual, just default pages on apache and it finds bolt on 8000, a few folders. But, before I can even explore those folders, I’m on the page and there’s a post from the admin telling us his name is Jake and that his username is bolt (no idea why he shares this). I note that it’s posted by ‘Admin’, but we all know that can be a display name. I just write it down incase ‘bolt’ is a rabbit hole, though I’m aware, bolt is the default username for bolt CMS already.

I notice there’s a read more link, expand the post, there’s nothing added except an obvious link “For IT Staff” and click it. He boldly (boltly? lol) tells us his password is boltadmin123. So, we have our first two answers:

bolt

boltadmin123

We find the well-known bolt administrative login right where it should be at /bolt/login , try our credentials and land inside to answer the next question. It’s version is bolt 3.7.1

The next question asks us about a metasploit module for a previous version of bolt, which was interesting. So, I launch msfconsole and search for bolt, answer the question.

exploit/unix/webapp/bolt_authenticated_rce

The exploit-db id is: 48296

Now, I’m just curious why they had us look up two old exploits that shouldn’t work on this release of bolt, so I fill in the options for metasploit and run the rce it has for the previous version. Surprisingly, it works. So, I find the flag at /home/flag.txt which I’d post here, but I’ve already closed that browser window. Sorry about that, I found it more necessary to go send an e-mail to CVE maintainers to update the information they have for this vulnerability, because it’s clearly not fixed by 3.7.1

Quick and easy, would’ve been annoyingly boring, except turned into fun by noticing that what people thought was fixed in 3.7.1 was NOT fixed.