Silver Platte (THM)

Can you breach the server?

Into.

Hello Everyone it been long time since we have CTF machine to try hack me and now finally we are back. Let's get right into it.

Enumeration.

Port scanning.

PORT     STATE SERVICE    REASON         VERSION
22/tcp   open  ssh        syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 1b:1c:87:8a:fe:34:16:c9:f7:82:37:2b:10:8f:8b:f1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0ia1tcuNvK0lfuy3Ep2dsElFfxouO3VghX5Rltu77M33pFvTeCn9t5A8NReq3felAqPi+p+/0eRRfYuaeHRT4=
|   256 26:6d:17:ed:83:9e:4f:2d:f6:cd:53:17:c8:80:3d:09 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKecigNtiy6tW5ojXM3xQkbtTOwK+vqvMoJZnIxVowju
80/tcp   open  http       syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Hack Smarter Security
| http-methods:
|_  Supported Methods: GET HEAD
8080/tcp open  http-proxy syn-ack ttl 62
|_http-title: Error
| fingerprint-strings:
|   FourOhFourRequest, HTTPOptions:
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Sun, 12 Jan 2025 03:46:40 GMT
|     <html><head><title>Error</title></head><body>404 - Not Found</body></html>
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SMBProgNeg, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|   GetRequest:
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Sun, 12 Jan 2025 03:46:39 GMT
|_    <html><head><title>Error</title></head><body>404 - Not Found</body></html>

So we having two Web port 8080, 80 and SSH. Since the RustScan shows 404 on the 8080 let's start with 80.

Port 80 Enumeration.

Enumerating the web for a bit we can find a username as we can see in the image below.

Also from the image above we can find Something called Silverpeas. Which is a Collaborative workspace.

After spending sometime in the website i found nothing so decided to head to the port 8080 which is suppose to run the silverpeas.

Port 8080

So since we have some username we maybe able to find the password somewhere.

After sometime i did not found it i search it maybe some hint in the port 80 site but i did not found. so i tried to look for some help.

Thanks to Mr.Bob.

Silver Platter | Writeups0xb0b.gitbook.io

i got the idea there is a tool that i did not know about called 'cewl' which extract words from some site to tried to make a password list.

GitHub - digininja/CeWL: CeWL is a Custom Word List GeneratorGitHub

and from there i tried to do the rest on my own. given these info we can get all the words that are possibly a password and save it.

cewl http://silver.thm -w newpasswd

now we have the word-list we can use hydra to brute-force it.

i capture the request to get the necessary information.

and here the hydra command.

hydra -l scr1ptkiddy -P ./newpasswd  silver.thm -s 8080 http-post-form "/silverpeas/AuthenticationServlet:Login=^USER^&Password=^PASS^&DomainId=0:F=Login or password incorrect"

and here we have it. Thank Mr.Bob again :)

so after login i spend much time looking around and i found some IDOR to find other users.

the userId field we can change it to find more users. we can also find a user called manager.

Shell as Tim

so after this IDOR i thought i might be able to find more but there is something that distract me.

Silverpeas App: Multiple CVEs leading to File Read on ServerRhino Security Labs

Here we can see a CVE that allows for file read what made me work with this that Tylor him self was part of it.

But it did not actually work. :(

After some time i notice something odd when we try to view the messages we can see and Id field which would yet again give us an IDOR on the messages here.

i checked from 5-0 but nothing interesting was there but the number 6 was the lucky number.

with that we can login via SSH.

Shell as Root.

The Rooting process was quite easy first thing was odd to me here when i checked the home directory the tim home directory was owned by the root.

so i used the id command to check the user groups. then i saw this

In Linux, the adm group is a user group that allows its members to read certain system logs and perform additional administrative tasks. Members of the adm group can access log files located in directories like /var/log, which are crucial for monitoring and troubleshooting the system. This group is useful for users who need to view logs without having full superuser privileges.

with that we can check the logs and see what we have there.

So there are quite a lot of logs but we gonna focus on this first as it some time contain creds in it.

And indeed in the file auth.log.2 i found this some DB password and user but i can not connect to the database from the machine since psql is not installed there must be some use for this password.

And as you may guess it just password reuse vulnerability i reused this password to access Tyler user.

then from here its very simple using the command sudo -l we can see that Tyler user has root access on everything.

final thought.

This machine was realistic quite more that others i have played for example the IDOR may exist in such a way as we exploited and password reuse is one of the more common vulnerability people fall for. Great job from Tyler and Hack Smarter Community. 😄