# Bolt ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdi0-B-vFQv5r3Au8Vh%2F-Mdi06zmS2xoBfuu0CdU%2Fimage.png?alt=media\&token=99d3b7b4-14a4-4414-ac14-27ffc6945a97) ## Scanning Lets run some nmap scans to find open ports and services ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdi0-B-vFQv5r3Au8Vh%2F-Mdi0wTEr4PJ5b3FXJxF%2Fimage.png?alt=media\&token=41ab9b6a-f269-428f-8961-552c7b80de95) ## Enumeration Lets visit the website running on port 8000 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdi0-B-vFQv5r3Au8Vh%2F-Mdi1Ca-uFXYaqMqX8e4%2Fimage.png?alt=media\&token=86eaab0d-06f2-4bc0-ab67-64f206b1c934) Looks like CMS bolt is running on this port. We also have the username Bolt. Looking through the site, we can also see another username and a password ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdi0-B-vFQv5r3Au8Vh%2F-Mdi1cEF1iQBMqr7_2tz%2Fimage.png?alt=media\&token=c862fb81-a3f0-407a-96f5-7f58d613efb3) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdi0-B-vFQv5r3Au8Vh%2F-Mdi1i3KLV5dIe5Cfufb%2Fimage.png?alt=media\&token=8bf0116a-1a70-458c-a90d-d7364d2e05bc) We usually find the login page of Bolt CMS pages in the /bolt page, so lets check it out. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdi0-B-vFQv5r3Au8Vh%2F-Mdi2b81lG9q0KaOrY1E%2Fimage.png?alt=media\&token=c8228cb3-b8b5-44af-9cd5-201f8b73cd0c) Lets login with the credentials we found ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdi0-B-vFQv5r3Au8Vh%2F-Mdi2l_b1m20UN86oYV4%2Fimage.png?alt=media\&token=de13776f-8dad-4742-b5b4-846ad75f81ba) Looking at the bottom corner of the page, we see the Bolt version running on the machine. ## Exploitation Lets now go to Exploit-db and look for exploits on this version ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdi0-B-vFQv5r3Au8Vh%2F-Mdi36vYmKlkAqGrjnx-%2Fimage.png?alt=media\&token=8bd65f72-a2ae-4f30-bf15-a7e60cac9088) We have one, lets look at it Now lets open Metasploit and look for this exploit, then lets set the options. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdi0-B-vFQv5r3Au8Vh%2F-Mdi3g5Uw_sDaxxefgkH%2Fimage.png?alt=media\&token=dd94de65-f2f5-4ce3-aa17-8f18e902e2f5) Now lets set the last options and run the exploit and get the flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdi0-B-vFQv5r3Au8Vh%2F-Mdi4GKi0NWE0O85kFeI%2Fimage.png?alt=media\&token=821dcd9f-3776-4b40-a415-26ba4be4deb4) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mdi0-B-vFQv5r3Au8Vh%2F-Mdi47fbmDgynwVC4VXP%2Fimage.png?alt=media\&token=88d7e270-40eb-4c0e-8742-39eacf11a3ee) We have the flag.