Read my writeup for Bolt machine on
User: From port 80 we get a tar file which contains docker image, from the docker image we found an invite code to demo.bolt.htb subdomain registration, Using the same credentials can login to mail.bolt.htb which vulnerable to STTI attack (from username field on demo.bolt.htb admin profile), Using that we get a reverse shell as www-data, Found password of eddie user on /etc/passbolt/passbolt.php file.
Root: Found PGP private key on Chrome extension log, Reading mail from email_queue table on passbolt database, Decrypting the mail using the PGP private key and we get the root password.