This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution.
Let’s start by scanning all port with a very basic Nmap scan:
nmap -p- 10.10.78.209
So we have 3 ports open, next let’s run a full version scan with scripts.
nmap -sV -sC -oN service-scan 10.10.78.209
So, we have OpenSSH 7.6 running on Port 22, an Apache http server running on Port 80 and http running on Port 8000.
Port 80 has the standard Apache page, a Gobuster scan did not show any hidden directories.
Move on to Port 8000 in web browser:
This port opens a webpage which appears to be a CMS system known as Bolt. On the two entries are some interesting information:
We are given a password: boltadmin123
This gives use a Username of bolt, so now we have a Username and Password. Maybe we can log into the admin panel of the CMS system.
We login as bolt with the password found above. Looking around we can see that the version is 3.7.1.
There is a hint that tells us that the previous version has anAuthenticated Remote Code Execution vulnerability.
A quick search on Google takes us to the Rapid 7 website, the makers of Metasploit, which gives us the exploit to use.
Fire up Metasploit and use the following exploit, setting the Rhost, Username, Password, Lhost and Lport. Run the ‘Exploit’ command a get a shell.
Job done, box rooted. A good beginner box, but good to see a different CMS than the normal WordPress site.
