Silver Platter - wook413

#tryhackme #linux #easy ![[Pasted image 20250705230832.png]] --- # Information Gathering - Nmap TCP scan against all 65,535 ports and found 3 open ports: 22, 80, and 8080. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-05 20:58 CDT Nmap scan report for 10.10.87.55 Host is up (0.13s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 23.99 seconds ``` Then I performed a more detailed TCP scan with `-sCV` options against those 3 open ports found. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 22,80,8080 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-05 21:01 CDT Nmap scan report for 10.10.87.55 Host is up (0.14s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 1b:1c:87:8a:fe:34:16:c9:f7:82:37:2b:10:8f:8b:f1 (ECDSA) |_ 256 26:6d:17:ed:83:9e:4f:2d:f6:cd:53:17:c8:80:3d:09 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Hack Smarter Security |_http-server-header: nginx/1.18.0 (Ubuntu) 8080/tcp open http-proxy |_http-title: Error | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 Not Found | Connection: close | Content-Length: 74 | Content-Type: text/html | Date: Sun, 06 Jul 2025 02:01:54 GMT | <html><head><title>Error</title></head><body>404 - Not Found</body></html> | GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SMBProgNeg, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Length: 0 | Connection: close | GetRequest, HTTPOptions: | HTTP/1.1 404 Not Found | Connection: close | Content-Length: 74 | Content-Type: text/html | Date: Sun, 06 Jul 2025 02:01:53 GMT |_ <html><head><title>Error</title></head><body>404 - Not Found</body></html> 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.95%I=7%D=7/5%Time=6869D911%P=aarch64-unknown-linux-gnu ... <SNIP> ... Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 88.52 seconds ``` UDP scan against top 1,000 ports revealed no open ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-05 21:05 CDT Nmap scan report for 10.10.87.55 Host is up (0.14s latency). Not shown: 996 open|filtered udp ports (no-response) PORT STATE SERVICE 53/udp closed domain 80/udp closed http 36778/udp closed unknown 59846/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds ``` --- # Footprinting ##### port 80 In the `Page Source`, I noticed `/#elements` page is commented out for some reason. ![[Pasted image 20250705210957.png]] In `/#contact`, a username `scr1ptkiddy` is mentioned. The website says it's the username of their project manager on `Silverpeas`. ##### Port 8080 Upon navigating to port 8080, it just displays `404 Not Found`. ![[Pasted image 20250705211449.png]] I ran `gobuster` to enumerate directories and I found `/website` and `/console`. Unfortunately both directories don't include any information. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://$IP:8080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.87.55:8080 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /website (Status: 302) [Size: 0] [--> http://10.10.87.55:8080/website/] /console (Status: 302) [Size: 0] [--> /noredirect.html] ``` At this point, I had exhausted every enumeration method I could think of and I was not able to get any useful information. I was stuck. While exploring the website on port 80 again, in `/#contact`, this word `Silverpeas` stood out to me. What if that's the actual name of the directory? ![[Pasted image 20250705215105.png]] My hunch was right. On port 8080, there was `/silverpeas` directory available. On the login form, we could definitely try the username `scr1ptkiddy` but we do not know the password yet. Let's keep enumerating from here. ![[Pasted image 20250705215126.png]] `Gobuster` was able to enumerate a lot of directories but most of them returned the status code 302 and the rest didn't include anything useful. ![[Pasted image 20250705221106.png]] # Exploit I searched for `silverpeas exploit poc` and stumbled upon this page. The Silverpeas CRM contains a CVE: `CVE-2024-36042`, which we can take advantage of and bypass authentication. https://gist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d ![[Pasted image 20250705221320.png]] Remember, we have to completely remove the password field. You omitting the password field in the login form on the website won't let you in. ![[Pasted image 20250705221459.png]] Using `Burp Suite`, I intercepted the login request. As you can see below, there exists `Password` field. ![[Pasted image 20250705221641.png]] I got rid of that field and forwarded my request. ![[Pasted image 20250705221654.png]] Successfully logged in as `scr1ptkiddy` ![[Pasted image 20250705221950.png]] At the very top, there was one notification sent to `scr1ptkiddy`. It was from `Manager` asking me if I want to join to play VR. However, I noticed the URL of the notification has `ID` parameter at the end. ![[Pasted image 20250705222455.png]] I messed with the `ID` parameter and realized that I was able to see other notifications that don't belong to `scr1ptkiddy` which indicates it has `IDOR` vulnerability. `ID=6` reveals the message from `Administrator` and this message contains a set of credentials. ![[Pasted image 20250705222358.png]] I logged into the SSH server with the found credentials :) ```bash tim@silver-platter:~$ whoami tim ``` Found `user.txt` ```bash tim@silver-platter:~$ ls user.txt tim@silver-platter:~$ cat user.txt THM{c4... ``` # Lateral Movement & Privilege Escalation The `id` command reveals that user `tim` is part of the `adm` group. The `adm` group in Linux stands for `administration` and is used to give users permission to **read log files** in the `/var/log` directory. Members of the `adm` group usually have access to system logs without needing `sudo` privilege. ```bash tim@silver-platter:/home$ id uid=1001(tim) gid=1001(tim) groups=1001(tim),4(adm) ``` There are multiple `auth.log` files which might contain some credentials we are interested in. ```bash tim@silver-platter:/var/log$ ls -l 22:49:40 [9/9] total 2144 -rw-r--r-- 1 root root 0 May 1 2024 alternatives.log -rw-r--r-- 1 root root 34877 Dec 12 2023 alternatives.log.1 drwx------ 3 root root 4096 May 8 2024 amazon drwxr-xr-x 2 root root 4096 May 1 2024 apt -rw-r----- 1 syslog adm 4286 Jul 6 03:48 auth.log -rw-r----- 1 syslog adm 6356 Jul 6 01:57 auth.log.1 -rw-r----- 1 syslog adm 32399 Dec 13 2023 auth.log.2 -rw-r----- 1 syslog adm 755 May 8 2024 auth.log.2.gz -rw-r--r-- 1 root root 600 May 8 2024 aws114_ssm_agent_installation.log -rw-r--r-- 1 root root 64549 Aug 10 2023 bootstrap.log -rw-rw---- 1 root utmp 0 Jul 6 01:57 btmp -rw-rw---- 1 root utmp 384 May 1 2024 btmp.1 -rw-r----- 1 syslog adm 680197 Jul 6 01:57 cloud-init.log -rw-r----- 1 root adm 32825 Jul 6 01:57 cloud-init-output.log drwxr-xr-x 2 root root 4096 Aug 2 2023 dist-upgrade -rw-r----- 1 root adm 45932 Jul 6 01:57 dmesg -rw-r----- 1 root adm 45164 May 8 2024 dmesg.0 -rw-r----- 1 root adm 14486 May 8 2024 dmesg.1.gz -rw-r----- 1 root adm 14519 May 8 2024 dmesg.2.gz -rw-r----- 1 root adm 14523 May 1 2024 dmesg.3.gz -rw-r----- 1 root adm 14543 Dec 13 2023 dmesg.4.gz -rw-r--r-- 1 root root 0 Jul 6 01:57 dpkg.log -rw-r--r-- 1 root root 490 May 8 2024 dpkg.log.1 -rw-r--r-- 1 root root 50823 Dec 13 2023 dpkg.log.2.gz -rw-r--r-- 1 root root 32064 Dec 13 2023 faillog drwxr-x--- 4 root adm 4096 Dec 12 2023 installer drwxr-sr-x+ 3 root systemd-journal 4096 Dec 12 2023 journal -rw-r----- 1 syslog adm 2844 Jul 6 01:57 kern.log -rw-r----- 1 syslog adm 185829 Jul 6 01:57 kern.log.1 -rw-r----- 1 syslog adm 27571 May 8 2024 kern.log.2.gz -rw-r----- 1 syslog adm 82570 Dec 13 2023 kern.log.3.gz drwxr-xr-x 2 landscape landscape 4096 Dec 12 2023 landscape -rw-rw-r-- 1 root utmp 292584 Jul 6 03:48 lastlog drwxr-xr-x 2 root adm 4096 Jul 6 01:57 nginx ``` `cat /var/log/auth* | grep -i pass` revealed a set of credentials we can try. ![[Pasted image 20250705225758.png]] Successfully logged in as `tyler` with the credentials found in `/var/log` directory ```bash tim@silver-platter:/var/log$ su tyler Password: tyler@silver-platter:/var/log$ whoami tyler ``` `sudo -l` command reveals that user `tyler` can run any command with `sudo`. ```bash tyler@silver-platter:~$ sudo -l [sudo] password for tyler: Matching Defaults entries for tyler on silver-platter: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User tyler may run the following commands on silver-platter: (ALL : ALL) ALL ``` So, I just simply ran `sudo /bin/bash` to get a shell as `root` ```bash tyler@silver-platter:~$ sudo /bin/bash -p root@silver-platter:/home/tyler# whoami root root@silver-platter:/home/tyler# ``` Found `root.txt` :) ```bash root@silver-platter:/home/tyler# cd /root root@silver-platter:~# ls root.txt snap start_docker_containers.sh root@silver-platter:~# cat root.txt THM{098... ```