Offical Bolt Discussion!

emma · October 1, 2021, 1:39pm

Official discussion thread for Bolt. Please do not post any spoilers or big hints.

clure · October 2, 2021, 5:17pm

Rooted
Very nice box ! **ti was fun

Thx @ctrlzero for the ride!

As always, pm if stucked, but please explain what you did already before asking questions;)

htbuser01 · October 2, 2021, 5:25pm

Just rooted the machine

Learned a whole lot doing it but was quite hard for a medium machine. Feel free to DM me if you are stuck

walk · October 2, 2021, 9:40pm

Lots of enum on this one. I’m assuming the i****.t** is not a rabbit hole? I’m currently taking a dive in it.
Edit: Found some admin creds. Looks like it wasn’t a rabbit hole lol. Loving this box so far.

ishansaha007 · October 3, 2021, 5:08pm

bro… got the login part … where to get the rce?

k01n · October 3, 2021, 5:55pm

Hi,
I tried basic enumeration, fuzzing directories including search for vhost. I tried also capture de requests and analyze them with burp and zap, and i found some vulnerabilities. Found some hashes also in the download part but i cant broke them. And im a bit lost right now… can you give me just a litte hint? thanks

htbuser01 · October 3, 2021, 6:02pm

Did you find more than one portal? Sometimes there are more.

k01n · October 3, 2021, 6:05pm

I found 2 yes, we could say secure one and another not secure?

htbuser01 · October 3, 2021, 6:06pm

Explore both where you can input data. Also look for more portals

k01n · October 3, 2021, 6:09pm

Thanks i’m going to take a look.

k01n · October 3, 2021, 7:18pm

Finally i found more portals but im not able to find the creds in the download file, just a bunch of hashes

tobig · October 3, 2021, 7:52pm

do you mean one with debug on and one without when you run something locally on your machine?

walk · October 4, 2021, 4:36am

EDIT: So how are you guys finding the invitation? I’ve literally parsed the downloaded thing (avoiding spoilers here) and literally do not see it. Redownloaded the thing three times just to make sure it wasn’t an error or something. PM’s welcome. I know it’s something stupid i’m missing or a method i haven’t tried. But, so far, I’ve done the basic linux 101 stuff to find it.

foxtrotcharlie · October 4, 2021, 6:13am

For some reason I cannot update any infomation about my accounts on varius webapps hosted on the bolt. I get 500 on settings update. Is it intended or is it a bug? Nothing works from the panels after I log in. Only static content and self-X** (locally) in one place, but the payload is stored in my browser not on the server (checked with proxy) so even it works it will not give me anything.

I hope this don’t spoil much.

k01n · October 4, 2021, 9:13am

FINALLY i found the creds… That was BORING as f*ck!!

k01n · October 4, 2021, 11:52am

Got user access. Going for root now. Feel free to pm for hints

tobig · October 4, 2021, 5:09pm

I managed to launch the d** r img on my windows machine and to actually create an account and found the self-X**, however, I do not get that far in Bolt as port is not exposed. I got some creds from the img too but don’t know where to plug those in.

tobig · October 4, 2021, 5:12pm

I’m basically at the same stage right now

k01n · October 4, 2021, 5:48pm

well u can try these creds in one of the login pages and after this u will be able to exploit the vuln

kavigihan · October 4, 2021, 6:03pm

I found some creds from the image and logged in to one of the portals. Saw a hint about e___l from the dashboard. But I think that’s a rabbit hole. Don’t know where to go now. Is it essential to launch the d*****.img locally to go from here?