The information provided in this site is for educational purposes regarding pentesting. The author of the site will not be held any responsibility for any misuse of the information from this site.
- Special port for User CMS
- Default Apache without special directories
- User and Password is on the webpage.
- Vulnerable to (RCE) Remote Code Execution
- Exploit with metasploit to get shell.
- Search for the flag.
Check port 80
It’s default apache page which nothing interesting.
I decided to run Gobuster,Dirb & Rustbuster against it with no
Check other port
It redirects me to CMS site which has numerous of potential users, after looking around, I found the valid credentials.
Based on the website, it shows many links that pointed out to the user, so I decided to browse
10.10.161.84:secretport/user and it redirects to the login page.
Tried numerous of default credentials with no lucks, so let’s move on and save it for later on.
I decided to search around with searchsploit and found this CMS has Authenticated RCE.
Fired up msfconsole and search bolt_authenticated cms.
Now it seems things getting easier, everyone knows how to use this stuff (metasploit).
And I’m in as root….
After few seconds, I realized the flag is not in root dir, the box kinda different because flag should always be in
Searching for the flag!
find commands, I may easily get the flag.
1 root@bolt:~# find / -type f -name "*.txt"
If you are using TMUX, press prefix+/ & ctrl+s, then search for flag.txt.