# Bolt

![](/files/-Mdi06zmS2xoBfuu0CdU)

## Scanning

Lets run some nmap scans to find open ports and services

![](/files/-Mdi0wTEr4PJ5b3FXJxF)

## Enumeration

Lets visit the website running on port 8000

![](/files/-Mdi1Ca-uFXYaqMqX8e4)

Looks like CMS bolt is running on this port. We also have the username Bolt. Looking through the site, we can also see another username and a password

![](/files/-Mdi1cEF1iQBMqr7_2tz)

![](/files/-Mdi1i3KLV5dIe5Cfufb)

We usually find the login page of Bolt CMS pages in the /bolt page, so lets check it out.

![](/files/-Mdi2b81lG9q0KaOrY1E)

Lets login with the credentials we found

![](/files/-Mdi2l_b1m20UN86oYV4)

Looking at the bottom corner of the page, we see the Bolt version running on the machine.

## Exploitation

Lets now go to Exploit-db and look for exploits on this version

![](/files/-Mdi36vYmKlkAqGrjnx-)

We have one, lets look at it

Now lets open Metasploit and look for this exploit, then lets set the options.

![](/files/-Mdi3g5Uw_sDaxxefgkH)

Now lets set the last options and run the exploit and get the flag

![](/files/-Mdi4GKi0NWE0O85kFeI)

![](/files/-Mdi47fbmDgynwVC4VXP)

We have the flag.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/walkthroughs-easy/bolt.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.