For Quick Answer
Find This Room: Silver Platter
Silver Platter was a simple room where we discovered a Silverpeas installation along with a username. We brute-forced the user’s password using a custom wordlist to gain access to Silverpeas, and by exploiting a vulnerability in it that allows an authenticated user to read all the messages, we uncovered SSH credentials in one of them.
Using the discovered credentials to gain a shell, we found a password in the logs and used it to escalate to the root user, completing the room.
Initial Enumeration
Nmap Scan
We start with an nmap scan.
nmap -T4 -n -sC -sV -Pn -p- 10.10.65.233
Nmap scan report for 10.10.191.243
Host is up (0.089s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 1b:1c:87:8a:fe:34:16:c9:f7:82:37:2b:10:8f:8b:f1 (ECDSA)
|_ 256 26:6d:17:ed:83:9e:4f:2d:f6:cd:53:17:c8:80:3d:09 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Hack Smarter Security
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open http-proxy
...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThere are three open ports:
- 22 (
SSH) - 80 (
HTTP) - 8080 (
HTTP)
Web 80
Checking http://10.10.65.233/, we find a static site.
Web 8080
Checking http://10.10.65.233:8080/, we simply receive a 404 error.
Shell as tim
Discovering Silverpeas
In the Contact section on port 80 (http://10.10.65.233/#contact), we find an interesting message mentioning Silverpeas and a username: scr1ptkiddy.
Silverpeas typically runs on :8080/silverpeas and visiting http://10.10.65.233:8080/silverpeas, we find the login page for it.
Brute-forcing the Credentials
The contact page provides a username, and the challenge room states a password policy that disallows breached passwords. So, instead of using a wordlist like rockyou.txt, we can generate a custom wordlist from the text in the web application on port 80 using cewl:
$ cewl http://10.10.65.233/ > passwords.txtNow, using this wordlist with ffuf to brute-force the password for the scr1ptkiddy user, we find it as a[REDACTED]g:
Intial Accsess
Reading Messages
Using the discovered credentials, we successfully log in as scr1ptkiddy to Silverpeas.
Searching for vulnerabilities in Silverpeas, we find CVE-2023–47323, which allows reading all messages via the http://localhost:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=[messageID] endpoint.
Exploiting this vulnerability to read the messages, when we read the message with ID 6 (http://10.10.65.233:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=6), we find the SSH credentials for the tim user.
Post-Exploitation
Using these credentials, we can gain a shell and read the user flag at /home/tim/user.txt:
Shell as root
Finding the Password
Checking the group memberships for the tim user, we see that the user belongs to the adm group:
As a member of the adm group, we can read most logs on the machine and searching the logs for passwords, we find one in auth.log for the Silverpeas database:
Checking the /etc/passwd file, we see that, apart from the tim user, there is also the tyler user.
Now we will search the logs for a password ( tyler )
Now We Found Password
Testing the password we discovered for the tyler user, we successfully switch users:
Checking sudo privileges for tyler, we see full access:
With this, we can use sudo to escalate to the root user and read the root flag at /root/root.txt to complete the room.
Happy Hacking
Follow Me : Linkedin , Facebook , Github , Join Us On Community , THM Account
