Silver Platter

Can you breach the server? - by TeneBrae93

Silver PlatterTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

---

Recon

We start with an Nmap scan and find three open ports. Port 22 on which we have SSH available, port 80 to an nginx web server and port 8080 to another web server.

When enumerating the directories using Feroxbuster, we do not find anything interesting on the web server on port 80.

feroxbuster -u 'http://silverplatter.thm/' -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt

On the web server on port 8080 we find two directories /website and /console. Both very interesting. However, /console redirects to a static HTML page nodirect.html and /website is redirecting to /website/ which is forbidden.

feroxbuster -u 'http://silverplatter.thm:8080/' -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt

We look at the page manually on port 80.

Under Contact we find a possible user who is a project manager for Silverpeas.

We write down the findings...

Silverpeas

scr1ptkiddy

On the website on port 8080 we find nothing on the index page and /website redirects us to /website/, which is forbidden.

Various 403 bypass techniques and automated scripts were unsuccessful. Since we have a username and a hint of a possible brute force in the room description, we try basic authentication brute force via Hydra. This was also unsuccessful.

Web Access

However, we still have the reference to Silverpeas in the contact form. We enter this as a directory for http://silverpeas.thm:8080/ and have a hit. A login page for Silverpeas. We find some CVEs for this, but they are not necessary.

Silverpeas

http://silverpeas.thm:8080/silverpeas

Intended

Since we have a username, we could try to brute-force the login using hydra. As the room description gives us the clue, rockyou.txt may not help here. But we can create a wordlist using the words on the http://silverplatter.thm page. We use cewl to do this.

cewl http://silverplatter.thm > passwords.txt

User:

scr1ptkiddy

Now we capture a log in request to craft our hydra command.

We forward the intercepted request to get the invalid response message.

Next, we build the hydra command with the user found and the words extracted by cewl. And we are able to retrieve a credential pair.

hydra -l scr1ptkiddy -P passwords.txt silverplatter.thm -s 8080 http-post-form "/silverpeas/AuthenticationServlet:Login=^USER^&Password=^PASS^&DomainId=0:F=Login or password incorrect"

We are able to log in as scr1ptkiddy at Silverpeas.

Unintended

It seems that while testing the room, Aquinas found a way to bypass the login. All you have to do is remove the password parameter.

We intercept a login request for the user scr1ptkiddy using Burp Suite, remove the password parameter, and then forward the request.

And we are logged in.

Shell As Tim

After being logged in as scr1ptkiddy, we can find a single notification.

Intended

In the personal workspace, we can inspect our notifications.

We intercept the request of inspecting the message and see that an ID is queried, here ID 5.

But there is an IDOR, we can also inspect the messages of other users. The message with the ID 6 contains the SSH credentials of user tim.

Next, we use those credentials to log in via SSH.

We find the user flag in the home directory of the user tim.

Unintended

We inspect the other users available on the app by clicking on the following symbol.

There is also a Manager user and an Administrator user.

We repeat our unintended steps from before and try to log in as Manager and not scr1ptkiddy this time.

We remove the Password parameter and forward the request to bypass the login.

We are logged in as Manager and are able to inspect the messages, which of one contains the SSH credentials of the user tim.

Next, we use those credentials to log in via SSH.

We find the user flag in the home directory of the user tim.

Shell As Tyler

We look at tim's groups and see that he is in the adm group. This allows us to find the logs in /var/logs. Maybe we can find useful sensitive information there to escalate further.

There is also the user tyler.

So lets search for entries of the user tyler.

And we do find some database credentials. Maybe they are reused.

We use those credentials to change the user to tyler and are successful.

Shell As root

This user is allowed to run any command as root using sudo without a password. So we just issue sudo su to change to root. We head to the root directory and find the final flag there.

Final Thoughts

The room showed me that I think too much in CTFs. At first, I thought - because it was an easy rated room - all I had to do was look for the CVEs. This led me to follow the XSS portion of https://rhinosecuritylabs.com/research/silverpeas-file-read-cves/ for a very long time. I followed this assumption because it is not a custom application. So be careful if you want to gain real security research skills from CTFs and not just follow the CVEs and maybe find some new ones by applying your learned skills.

Recommendation

Don't miss out on the following write-up from Cristián Rojas, using SilverCrawler as Silverpeas Administrator to read the Silverpeas configuration files:

writeups/thm/20250110_silverplatter at main · injcristianrojas/writeupsGitHub