# Silver Platter {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Recon We start with an Nmap scan and find three open ports. Port `22` on which we have SSH available, port 80 to an nginx web server and port `8080` to another web server.

When enumerating the directories using Feroxbuster, we do not find anything interesting on the web server on port `80`. {% code overflow="wrap" %} ``` feroxbuster -u 'http://silverplatter.thm/' -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt ``` {% endcode %}

On the web server on port `8080` we find two directories `/website` and `/console`. Both very interesting. However, `/console` redirects to a static HTML page `nodirect.html` and `/website` is redirecting to `/website/` which is forbidden. {% code overflow="wrap" %} ``` feroxbuster -u 'http://silverplatter.thm:8080/' -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt ``` {% endcode %}

We look at the page manually on port `80`.

Under Contact we find a possible user who is a project manager for Silverpeas.

We write down the findings... ``` Silverpeas ``` ``` scr1ptkiddy ``` On the website on port `8080` we find nothing on the index page and `/website` redirects us to `/website/`, which is forbidden.

Various 403 bypass techniques and automated scripts were unsuccessful. Since we have a username and a hint of a possible brute force in the room description, we try basic authentication brute force via Hydra. This was also unsuccessful.

## Web Access However, we still have the reference to Silverpeas in the contact form. We enter this as a directory for `http://silverpeas.thm:8080/` and have a hit. A login page for Silverpeas. We find some CVEs for this, but they are not necessary. ``` Silverpeas ``` ``` http://silverpeas.thm:8080/silverpeas ```

### Intended Since we have a username, we could try to brute-force the login using hydra. As the room description gives us the clue, `rockyou.txt` may not help here. But we can create a wordlist using the words on the `http://silverplatter.thm` page. We use cewl to do this. ``` cewl http://silverplatter.thm > passwords.txt ```

User: ``` scr1ptkiddy ``` Now we capture a log in request to craft our hydra command.

We forward the intercepted request to get the invalid response message.

Next, we build the hydra command with the user found and the words extracted by cewl. And we are able to retrieve a credential pair. {% code overflow="wrap" %} ``` hydra -l scr1ptkiddy -P passwords.txt silverplatter.thm -s 8080 http-post-form "/silverpeas/AuthenticationServlet:Login=^USER^&Password=^PASS^&DomainId=0:F=Login or password incorrect" ``` {% endcode %}

We are able to log in as `scr1ptkiddy` at Silverpeas.

### Unintended It seems that while testing the room, Aquinas found a way to bypass the login. All you have to do is remove the password parameter. {% embed url="" %} We intercept a login request for the user `scr1ptkiddy` using Burp Suite, remove the password parameter, and then forward the request.

And we are logged in.

## Shell As Tim After being logged in as `scr1ptkiddy`, we can find a single notification.

### Intended In the personal workspace, we can inspect our notifications.

We intercept the request of inspecting the message and see that an ID is queried, here ID 5.

But there is an IDOR, we can also inspect the messages of other users. The message with the ID 6 contains the SSH credentials of user `tim`.

Next, we use those credentials to log in via SSH.

We find the user flag in the home directory of the user `tim`.

### Unintended We inspect the other users available on the app by clicking on the following symbol.

There is also a `Manager` user and an `Administrator` user.

We repeat our unintended steps from before and try to log in as `Manager` and not `scr1ptkiddy` this time.

We remove the Password parameter and forward the request to bypass the login.

We are logged in as Manager and are able to inspect the messages, which of one contains the SSH credentials of the user `tim`.

Next, we use those credentials to log in via SSH.

We find the user flag in the home directory of the user tim.

## Shell As Tyler We look at `tim`'s groups and see that he is in the `adm` group. This allows us to find the logs in `/var/logs`. Maybe we can find useful sensitive information there to escalate further.

There is also the user tyler.

So lets search for entries of the user tyler.

And we do find some database credentials. Maybe they are reused.

We use those credentials to change the user to `tyler` and are successful.

## Shell As root This user is allowed to run any command as `root` using `sudo` without a password. So we just issue `sudo su` to change to `root`. We head to the root directory and find the final flag there.

## Final Thoughts The room showed me that I think too much in CTFs. At first, I thought - because it was an easy rated room - all I had to do was look for the CVEs. This led me to follow the XSS portion of for a very long time. I followed this assumption because it is not a custom application. So be careful if you want to gain real security research skills from CTFs and not just follow the CVEs and maybe find some new ones by applying your learned skills. ## Recommendation Don't miss out on the following write-up from Cristián Rojas, using SilverCrawler as Silverpeas Administrator to read the Silverpeas configuration files: {% embed url="" %}