Posts Tryhackme - Bolt
Post
Cancel

Tryhackme - Bolt

The information provided in this site is for educational purposes regarding pentesting. The author of the site will not be held any responsibility for any misuse of the information from this site.

Summary


  • Special port for User CMS
  • Default Apache without special directories
  • User and Password is on the webpage.
  • Vulnerable to (RCE) Remote Code Execution
  • Exploit with metasploit to get shell.
  • Search for the flag.

Port scan


Check port 80


It’s default apache page which nothing interesting.

I decided to run Gobuster,Dirb & Rustbuster against it with no LOOTS.

Check other port


It redirects me to CMS site which has numerous of potential users, after looking around, I found the valid credentials.

Username

Password

Based on the website, it shows many links that pointed out to the user, so I decided to browse 10.10.161.84:secretport/user and it redirects to the login page.

Tried numerous of default credentials with no lucks, so let’s move on and save it for later on.

Found RCE


I decided to search around with searchsploit and found this CMS has Authenticated RCE.

Metasploit


Fired up msfconsole and search bolt_authenticated cms.

Now it seems things getting easier, everyone knows how to use this stuff (metasploit).

And I’m in as root….

After few seconds, I realized the flag is not in root dir, the box kinda different because flag should always be in /root.

Searching for the flag!


By executing find commands, I may easily get the flag.

1
root@bolt:~# find / -type f -name "*.txt"

If you are using TMUX, press prefix+/ & ctrl+s, then search for flag.txt.

Capture root


Capture it….


This post is licensed under do wtf you want with it.