Bolt TryHackMe Exploit explanation
Hello guys back again with another walkthrough this time am going to be tackling Bolt from Tryhackme. A really nice beginner friendly box with very few steps required to get root on the box. Am sure you guys probably solved the box but am here to explain how the vulnerability occurred and how it can be exploited. This vulnerability affects version 3.7.1 of bolt CMS and what makes it even easier to exploit is that theirs a metasploit module for that particular vulnerability you just input the IP Address and credentials and IP address of the attackers box/machine and voila you have a root shell. There’s also a exploit DB python exploit but it’s broken i decided to recreate the entire script a different way and at the end of the article I’ll leave a link to my GitHub page where the script can be downloaded. Without much say lets jump in
As always we’ll start off with a nmap scan of the box. This helps us find open port on the web server. Those will be the ports that we’ll be targeting to exploit the box
Looking at the result of the nmap scan we see three ports are open both HTTP and SSH
looking at the webpage in port 80 we get a standard Apache default webpage
Looking at port 8000 we get a webpage called Bolt A hero is unleashed. I decided to enumerate this webpage first since it had the name bolt which is the same name of the box we are tackling
And looking at the footer we see that the site was created using bolt CMS
I decided to go through the web paged and found the credentials for the CMS both the username and password
Let’s try and see if those credentials work
And we see that the credentials work
Also after logging into the box we get the exact version if the CMS as Bolt 3.7.1
i decided to search for an exploit in the exploit database and found some interesting exploits
I copied the script to my working directory and tried to execute it but got a bunch of errors
I tried debugging the script but to now avail and because of this i decided to look at metasploit and see if there was an exploit availabe
I loaded up metaspoit and then search for “bolt” and voila there was an exploit available
I just filled the required options which were LHOST,RHOSTS,USERNAME and PASSWORD
Then i executed the script
And as you see below we got a shell on the box sweet
Let’s upgrade the shell to make it a bit better
And as seen above we are root on the box let’s grab the flag submit it an get the points
And the box is done. Real easy right
But how exactly was the vulnerability found ???????
As I’ve said before after finding a vulnerability i always try to dig a bit deeper and see if i can reproduce the vulnerability. And i believe that every penetration tester should do the same i don’t just believe in exploiting a vulnerability and that’s it. Because someday if you haven’t started already you might be interested in bug bounties and understanding vulnerability and being able to perform static code analysis on binaries and files is the key
First the exploit requires us to be authenticated meaning without valid credentials we won’t be able to exploit the vulnerability but since we have the credentials let’s login to the CMS
Now that we have successfully logged in to the application we need to change a few things. First Let’s navigate to our user profile this is where we will inject our PHP Shell payload
Now we need to edit the Display name and add the simple PHP shell below
<?php system($_GET['bolt']); ?>
And as you see above the payload has been added successfully. Now what do we do from here
If you have been doing penetration testing for some time or you are a developer you must know that there’s a specific way a web application can determine whether we have access to a particular place in the web application or not. The web application uses session tokens (some file just like cookies). With this files the can determine whether we have access to certain places of the web application or not
Fun right????
Also these web application tokens has information like our username and this is where the vulnerability comes along
We as the attacker have been able to change our username to a PHP payload which if executed give us a shell on that particular box
In our cases let’s take a look at our session tokens. The session tokens can be found in
http://<URL>/async/browse/cache/.sessions
But when we changed our username we also did input a Malicious PHP source code to one of those session token files
Now the problem is how will we find it from that huge list since i had about 50 session tokens and that’s why i created a python script
Also another thing that caused the vulnerability was that we could rename files.
As a penetration tester am also sure you know that they way PHP code gets executed by a web server is because it has a .php, .php4, .php5 or .phtml etc extensions and since our session token files don’t have either of those extensions it is completely useless because we can’t execute code with it. But lucky for us Bolt CMS has a way to change filenames using the URL below
http://<URL>/async/folder/rename
Now that the session token has a .php extension and inside the session token we have our malicious PHP Source Code we can execute files if we know where they were stored
Looking back at the burpsuite request we see that it saved the PHP file in
/pubic/files/<malicious PHP file>
Now we can just pass the URL parameter we specified in the payload and get command execution. That’s it folks as simple as that
Am sure you guys will be asking for a demo so let me leave one below
But writing the code is a little bit complicated because you must be able to determine the correct session file that has the malicious PHP source code and i really wished i could go through the source code i wrote but it over 100 lines of code that has a lot to explain that’s why I’ll leave a link to my GitHub page where you can clone the script and try understanding it and if you get lost you can always contact me through the response section and I’ll be delighted to answer all your questions
But That’s it for now guys till next time it’s goodbye from me