Bolt is a difficult Medium box on HTB created by d4rkpayl0ad. It features a downloadable administration template which leaks an admin password. Once logged in you find hints about the presence of sub-domains. On the new site you use an server-side template injection (SSTI) to gain access to the box. Finally with a lot of enumeration you find and decrypt a PGP key and associated message to gain root.
Before I begin each machine I kick off a full port
Once it completes I use the ports found to do a full
NMAP scan. Once this scan finishes I begin a full port
NMAP scan and
Reviewing the results I can see
Ports 22/80/443 open. Navigating over to the website I see ‘Administration using Admin LTE’ running in
Administration using Admin LTE page on Bolt.
I try the contact forms, note the names available under the ‘Meet the Team’ section and view the source code. Next I go through the other pages and see a Download page available. I download the app and proceed to unzip each
.tar file individually (instead of just building the docker environment which would have probably been easier).
Finding the download page for Bolt.
Going through all the files I finally find something:
To verify I am seeing a clean data-set via the console I open
db.sqlite3 in DB Browser:
Viewing the hash for the [email protected]
I grab the hash and crack it with
Using the password cracked from
john, I log into the Dashboard and note the majority of the UI is not live. On the chat I see the following:
Chat showing presence of subdomains.
Reviewing some enumeration I had running in the background (IPPSEC #1 Rule) I can see my
VHOST scan picked up two subdomains that fit the conversation:
First I tried the credentials on the
mail subdomain with no success. I went over to
demo and saw I could register this time but I needed an invite code:
Requirement for an Invite Code on the Demo site.
Remembering during my intial enumeration of the Download and seeing a base directory with python files I went back to review:
I registered and logged into the environment:
Putting in the invite code for the Demo.
After navigating around the Admin Dashboard I remembered the second part of the original clue talking about ‘mail’. I logged in with my Dashboard creds on the mail environment. After logging into the mail environment (and unsuccessfully finding an exploit for RoundCube 1.4.6) I went back to the Dashboard and noticed it was called AdminLTE Flask. I was able to confirm on AppSeed.us that it was indeed built with Flask.
Noting the word ‘Flask’ in the footer.
This means its possible that the website is vulnerable to a
SSTI (Server Side Template Injection). After going around the Dashboard I finally found in the Settings area you could change your Name, Experience and Skills and an email would be sent to confirm.
Noting the email verification element for the SSTI.
Using this alongside PayloadsAllTheThings – SSTI I tested to see if
SSTI was present.
Verifying SSTI is available for confirmation of profile changes.
After inputting the payload I confirmed the change via email and the second email confirmed SSTI was present. I then tested SSTI Exploit – OS POPEN Read which came back as successful showing the
www/data user. I altered the exploit with a reverse shell embeeded (the syntax was very temperamental):
⚠ Attack Machine
Multiple attempts to succeed at the SSTI. Try Harder.
Once on the box, I created a working directory in
/tmp/ and pulled
LinPEAS to the box for enumeration. I created a second session to poke around well
⚠ Attack Machine
I see a bunch of information regarding
passbolt.php and a short search later I can see a database is available and running on the current box:
I use the found credentials to connect to the database locally:
Expecting to find a password in the users table I pulled users first:
No passwords but the same users found in the home directories. In the secrets table I found a
I checked other tables and did some initial enumeration alongside
LinPEAS. Finally I tried the database password I got earlier with both users (password reuse):
Nice, a user flag! I check his home directory and see a
.ssh directory but no
authorized_keys file. I generate a key and add it to
authorized_keys on the box. To see how to do this, refer to Backdoor as I wrote about it two days ago.
Now on the box with a stable session, I run LinPEAS again as
eddie looking for my next foothold. First thing which LinPEAS found at the same time as me was mail:
Reviewing the mail I can see the following:
This definitely explains why
LinPEAS is mentioning Google Chrome/extensions so much. A further dig showed log files dealing with the extensions in question:
This file had a lot to go through but I found a PGP key and decoded it with CyberChef. I then converted it to a hash format so I could crack it with
Once converted I kicked off
So after two crashes and 40minutes or so I finally got the password of merrychristmas. Next I imported the key:
The password included was for the root user. I used my current session to traverse to root and grab the flag: