Bolt

This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution. You should wait for at least 3-4 minutes for the machine to start properly.


I wanted to launch this room to enhance my experience with Metasploit

Step 1 we are going to launch the machine and enumerate with Nmap

Our scan results indicate that port 8000 is open on the machine.
Next we are looking for a username and a password associated with it

guess based on what was located webpage was Admin or Bolt.

Testing “bolt” we get our answer

Searching through the page we locate the password as well

From here we navigate to the login page bolt. This is 10.10.192.158:8000/bolt/login. We are going to login with our username and password we located

Searching around the page we locate the version in the bottom left corner

From here we are looking for an exploit on exploit-db.

Selecting this option, we get EDB-ID of 48296

Next we launch metasploit and search “bolt”

Our first option is the RCE we want to use in this instance

From here we check out options

We set our options (LHOST RHOST, USERNAME, PASSWORD) and launch!

We now have a command shell!

On here Im going to go the extra step and upgrade to a meterpreter shell

From here we search and Boom! We have our flag!