Tryhackme : Bolt

A hero is unleashed
Once you have successfully deployed the VM , enumerate it before finding the flag in the machine.
https://tryhackme.com/room/bolt
Nmap Scan
nmap -sC -sV 10.10.62.123
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-19 17:46 IST
Nmap scan report for 10.10.62.123
Host is up (0.16s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA)
| 256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
|_ 256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8000/tcp open http (PHP 7.2.32-1)
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Date: Wed, 19 Aug 2020 12:17:09 GMT
| Connection: close
| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
| Cache-Control: private, must-revalidate
| Date: Wed, 19 Aug 2020 12:17:09 GMT
| Content-Type: text/html; charset=UTF-8
| pragma: no-cache
| expires: -1
| X-Debug-Token: 8f385a
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.56 seconds
1. What port number has a web server with a CMS running?
8**0
2. What is the username we can find in the CMS?
B**t
3. What is the password we can find for the username?

***********
On search on google we found login panel at /bolt/login
Username: bolt Password: ***********4. What version of the CMS is installed on the server? (Ex: Name 1.1.1)
bolt *.*.*
Version of bolt cms is found at Left bottom corner at dashbar

5. There's an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What's its EDB-ID?
4***6
Simply open google and type bolt *.*.* exploit EDB-ID

6. Metasploit recently added an exploit module for this vulnerability. What's the full path for this exploit? (Ex: exploit/....)
exploit/****/****/bo**_************_rce
Open up terminal. type msfconsole, search bolt and you will find it

7. Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit
No Answer required
8. Look for flag.txt inside the machine.
THM{****************************}
