Offical Bolt Discussion!

Official discussion thread for Bolt. Please do not post any spoilers or big hints.

Rooted :slight_smile:
Very nice box ! **ti was fun

Thx @ctrlzero for the ride!

As always, pm if stucked, but please explain what you did already before asking questions;)

Just rooted the machine :slight_smile:

Learned a whole lot doing it but was quite hard for a medium machine. Feel free to DM me if you are stuck

Lots of enum on this one. I’m assuming the i****.t** is not a rabbit hole? I’m currently taking a dive in it.
Edit: Found some admin creds. Looks like it wasn’t a rabbit hole lol. Loving this box so far.

1 Like

bro… got the login part … where to get the rce?

I tried basic enumeration, fuzzing directories including search for vhost. I tried also capture de requests and analyze them with burp and zap, and i found some vulnerabilities. Found some hashes also in the download part but i cant broke them. And im a bit lost right now… can you give me just a litte hint? thanks

Did you find more than one portal? Sometimes there are more.

I found 2 yes, we could say secure one and another not secure?

Explore both where you can input data. Also look for more portals

Thanks i’m going to take a look.

Finally i found more portals but im not able to find the creds in the download file, just a bunch of hashes

do you mean one with debug on and one without when you run something locally on your machine?

EDIT: So how are you guys finding the invitation? I’ve literally parsed the downloaded thing (avoiding spoilers here) and literally do not see it. Redownloaded the thing three times just to make sure it wasn’t an error or something. PM’s welcome. I know it’s something stupid i’m missing or a method i haven’t tried. But, so far, I’ve done the basic linux 101 stuff to find it.

For some reason I cannot update any infomation about my accounts on varius webapps hosted on the bolt. I get 500 on settings update. Is it intended or is it a bug? Nothing works from the panels after I log in. Only static content and self-X** (locally) in one place, but the payload is stored in my browser not on the server (checked with proxy) so even it works it will not give me anything.

I hope this don’t spoil much.

FINALLY i found the creds… That was BORING as f*ck!!


Got user access. Going for root now. Feel free to pm for hints

I managed to launch the d** r img on my windows machine and to actually create an account and found the self-X**, however, I do not get that far in Bolt as port is not exposed. I got some creds from the img too but don’t know where to plug those in.

I’m basically at the same stage right now :frowning:

well u can try these creds in one of the login pages and after this u will be able to exploit the vuln

I found some creds from the image and logged in to one of the portals. Saw a hint about e___l from the dashboard. But I think that’s a rabbit hole. Don’t know where to go now. Is it essential to launch the d*****.img locally to go from here?