nmap -sC -sV Target_IP
We can see open ports, most intresting is port 8000 with running BOLT CMS.After looking around the web page, we find login username and password in post on the page. We can search for vunlrabilities via web search and we can find following for Authenticated Remote Code Execution. How will you tackle this one? I used metasploit and use following module exploit/unix/webapp/bolt_authenticated_r. Throught the metasploit console set up needed variables LHOST, RHOST, USERNAME, PASSWORD and run the exploit. We need to run:
find / -type f -name flag.txt 2>/dev/null
and we get the flag in a seconds. I hope this short and easy tutorial helped anyone getting stucked in solving this room. audittrsi
No comments:
Post a Comment