Introduction
This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution.
Okey dokey then. It’s easy rated. Let’s begin.
Ports
nmap says we’ve got three ports: 22 (SSH) and 80 (HTTP) and 8000. One of the questions is:
What port number has a web server with a CMS running?
so I think we can assume we’re looking for port 8000. Let’s go there.
Port 8000
The page helpfully gives us some creds - I guess this is an exercise in authenticated RCE after all - bolt:boltadmin123
We can exploit this with Metasploit - it’s basically this:
So, that’s pretty easy.
Too Easy
In fact that was too easy, so let’s do it without metasploit. The below is based on this:
- Login to bolt with bolt:boltadmin123 at: http://10.10.246.203:8000/bolt/login
- Visit view-source:http://10.10.246.203:8000/bolt/overview/showcases and copy the csrf token
- Upload a reverse shell with a .txt extension at http://10.10.246.203:8000/bolt/files, eg. shell.txt
- Start a netcat listener
- Sent this request via Burp, with the appropriate cookie and token values:
Finally, visit http://10.10.246.203:8000/files/shell.php
Boom.