Bolt
Enumeration
Let’s start enumeration of machine using Nmap.
Port 8000 has alternate HTTP with Bolt CMS. Room specifically mentions to enumerate this port so let’s focus on this.
Bolt CMS
Let’s explore all webpages first.
So there are one user named jake as admin with username bolt.
We got password of admin bolt , it is boltadmin123.
Let’s login into portal which is located at /bolt/ directory as mentioned in documentation of Bolt CMS.
RCE Exploit
Let’s check Exploit-DB for RCE exploit on Bolt CMS.
We can setup metasploit for this CVE. Let’s just add necessary options in selected payload. Got shell , let’s find where flag.txt is located.
Got flag for bolt.