Tryhackme : Bolt


A hero is unleashed

Once you have successfully deployed the VM , enumerate it before finding the flag in the machine.

Nmap Scan
nmap -sC -sV
Starting Nmap 7.80 ( ) at 2020-08-19 17:46 IST
Nmap scan report for
Host is up (0.16s latency).
Not shown: 997 closed ports
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA)
|   256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
|_  256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8000/tcp open  http    (PHP 7.2.32-1)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Date: Wed, 19 Aug 2020 12:17:09 GMT
|     Connection: close
|     X-Powered-By: PHP/
|     Cache-Control: private, must-revalidate
|     Date: Wed, 19 Aug 2020 12:17:09 GMT
|     Content-Type: text/html; charset=UTF-8
|     pragma: no-cache
|     expires: -1
|     X-Debug-Token: 8f385a
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 53.56 seconds

1. What port number has a web server with a CMS running?


2. What is the username we can find in the CMS?


3. What is the password we can find for the username?

user pass


On search on google we found login panel at /bolt/login

Username: bolt Password: ***********

4. What version of the CMS is installed on the server? (Ex: Name 1.1.1)

bolt *.*.*

Version of bolt cms is found at Left bottom corner at dashbar

bottom bar

5. There's an exploit for a previous version of this CMS, which allows authenticated RCE. Find it on Exploit DB. What's its EDB-ID?


Simply open google and type bolt *.*.* exploit EDB-ID

Google search

6. Metasploit recently added an exploit module for this vulnerability. What's the full path for this exploit? (Ex: exploit/....)


Open up terminal. type msfconsole, search bolt and you will find it


7. Set the LHOST, LPORT, RHOST, USERNAME, PASSWORD in msfconsole before running the exploit

No Answer required

8. Look for flag.txt inside the machine.