TryHackMe | Silver Platter

Can you breach the server?

Posted Jan 11, 2025

By cristibtz

5 min read

1. RECON

1.1 Nmap

nmap -sV -sT -A -p- 10.10.185.253 --min-rate=1500
...
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 1b:1c:87:8a:fe:34:16:c9:f7:82:37:2b:10:8f:8b:f1 (ECDSA)
|_  256 26:6d:17:ed:83:9e:4f:2d:f6:cd:53:17:c8:80:3d:09 (ED25519)
80/tcp   open  http       nginx 1.18.0 (Ubuntu)
|_http-title: Hack Smarter Security
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open  http-proxy
|_http-title: Error
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest, HTTPOptions: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Sat, 11 Jan 2025 12:54:31 GMT
|     <html><head><title>Error</title></head><body>404 - Not Found</body></html>
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SMBProgNeg, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|_    Connection: close
---
...

We can see 3 services are running on port 22(SSH), 80(HTTP), 8080(HTTP).

At first, I though about enumerating the services on port 80 and 8080. Here’s how it went.

1.2 Web app on port 80

This is some cyber security website.

After navigating a little through it, I came accros something interesting. In /contact, there some content that leaks the username: scr1ptkiddy. Maybe it will be useful for brute-forcing a form or something, at least that’s what I though initially, but this wasn’t the case. Some other crucial info is mentioned, but I’ll come to it later.

Enumerating directories using Ffuf brought no interesting result:

ffuf -u http://10.10.185.253/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -ac

images                  [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 72ms]
assets                  [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 63ms]

Enumeration with extensions:
ffuf -u http://10.10.185.253/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .txt,.php,.js -ac
...
README.txt              [Status: 200, Size: 771, Words: 91, Lines: 30, Duration: 64ms]
LICENSE.txt             [Status: 200, Size: 17128, Words: 2798, Lines: 64, Duration: 64

1.3 Web app on port 8080

I approched this part similar as previous one, but also no interesting info was found.

Directory enumeration results:

ffuf -u http://10.10.185.253:8080/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -ac

website                 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 114ms]
console                 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 78ms]

Enumeration with extensions:
ffuf -u http://10.10.185.253:8080/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .txt,.php,.js -ac
Same result as above

I found it interesting that `/console/` redirected to `/noredirect.html`, but still this information doesn’t help.

I tried to enumerate a little bit further before changing the approach:

ffuf -u http://10.10.185.253:8080/website/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -e .txt,.php,.js -ac
Nothing here or in /console

At this point, I knew I needed to change my approch and thought about enumerating parameters, BUT before that, I felt I should check again the website on port 80. Looking again at `/contact`, I noticed an interesting name: Silverpeas more exactly.

Now things started to make more sense.

1.4 Silverpeas

Moving on, I tried to search for the version of the app in the web source code, but I didn’t find it and I still don’t know if it’s there, because I aborted the search and googled about the app’s vulnerabilites and exploits: `Silverpeas exploit`.

The Google search from above, brought a Github gist to my attention:

https://gist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d

Reading the info from the repo and putting in practice the steps, using Burpsuite, I managed to log in as “scr1ptkiddy”. We can also see that this bug was fixed in version `6.3.5`

Now, back to google searching for how to exploit the app if logged in, but didn’t find anything useful.

Navigating through the app as “scr1ptkiddy”, I saw he has a notification from “Manager”. Also, I found another user name “Administrateur”. I tried doing the steps from the Github gist with these 2 users and got access to “Manager” account.

Looking at Manager’s notification, I found some SSH credentials for user `tim`. In this way, we can gain inital access to the server.

2. Initial access

Got user.txt!

2.1 Privesc

I went straight to run linpeas.sh and it revelead that being part of `adm` group can be a PE vector.

...
AdminIdentities=unix-group:sudo;unix-group:admin
...

Also, `id` command can be run to see that we are part of `adm` group.

Being part of `adm` group, we can check out logs. So, going to /var/log and catting auth.log.2 and looking through it reveals something interesting:

Dec 13 15:45:57 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=REDACTED -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database silverpeas:6.3.1

Using that password to connect to tyler via SSH is working. Lateral privilege escalation.

Running `sudo -l` on tyler shows that we can easily escalate to root using `sudo su`.

Matching Defaults entries for tyler on silver-platter:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User tyler may run the following commands on silver-platter:
    (ALL : ALL) ALL

This was a nice room which required just some basic attention to detail, which I lacked at first :). At least, I worked on my directory enumeration skills. It also left me thinking why isn’t `silverpeas` in my SecList’s directory-list-2.3 files… But maybe using one tool for directory enumeration isn’t always enough. Plenty to learn even from small steps.

CTF Writeups, TryHackMe

CTF writeups

This post is licensed under CC BY 4.0 by the author.

1. RECON

1.1 Nmap

We can see 3 services are running on port 22(SSH), 80(HTTP), 8080(HTTP).

At first, I though about enumerating the services on port 80 and 8080. Here’s how it went.

1.2 Web app on port 80

This is some cyber security website.

Enumerating directories using Ffuf brought no interesting result:

1.3 Web app on port 8080

I approched this part similar as previous one, but also no interesting info was found.

Directory enumeration results:

I found it interesting that /console/ redirected to /noredirect.html, but still this information doesn’t help.

I tried to enumerate a little bit further before changing the approach:

At this point, I knew I needed to change my approch and thought about enumerating parameters, BUT before that, I felt I should check again the website on port 80. Looking again at /contact, I noticed an interesting name: Silverpeas more exactly.

Now things started to make more sense.

1.4 Silverpeas

A Google search revelead that Silverpeas is in /silverpeas folder and after searching for it on port 8080 app, we get a login page. Nice!

Moving on, I tried to search for the version of the app in the web source code, but I didn’t find it and I still don’t know if it’s there, because I aborted the search and googled about the app’s vulnerabilites and exploits: Silverpeas exploit.

The Google search from above, brought a Github gist to my attention:

Reading the info from the repo and putting in practice the steps, using Burpsuite, I managed to log in as “scr1ptkiddy”. We can also see that this bug was fixed in version 6.3.5

Now, back to google searching for how to exploit the app if logged in, but didn’t find anything useful.

Navigating through the app as “scr1ptkiddy”, I saw he has a notification from “Manager”. Also, I found another user name “Administrateur”. I tried doing the steps from the Github gist with these 2 users and got access to “Manager” account.

Looking at Manager’s notification, I found some SSH credentials for user tim. In this way, we can gain inital access to the server.

2. Initial access

Got user.txt!

2.1 Privesc

I went straight to run linpeas.sh and it revelead that being part of adm group can be a PE vector.

Also, id command can be run to see that we are part of adm group.

Being part of adm group, we can check out logs. So, going to /var/log and catting auth.log.2 and looking through it reveals something interesting:

Using that password to connect to tyler via SSH is working. Lateral privilege escalation.

Running sudo -l on tyler shows that we can easily escalate to root using sudo su.

Trending Tags

I found it interesting that `/console/` redirected to `/noredirect.html`, but still this information doesn’t help.

At this point, I knew I needed to change my approch and thought about enumerating parameters, BUT before that, I felt I should check again the website on port 80. Looking again at `/contact`, I noticed an interesting name: Silverpeas more exactly.

A Google search revelead that Silverpeas is in `/silverpeas` folder and after searching for it on port 8080 app, we get a login page. Nice!

Moving on, I tried to search for the version of the app in the web source code, but I didn’t find it and I still don’t know if it’s there, because I aborted the search and googled about the app’s vulnerabilites and exploits: `Silverpeas exploit`.

Reading the info from the repo and putting in practice the steps, using Burpsuite, I managed to log in as “scr1ptkiddy”. We can also see that this bug was fixed in version `6.3.5`

Looking at Manager’s notification, I found some SSH credentials for user `tim`. In this way, we can gain inital access to the server.

I went straight to run linpeas.sh and it revelead that being part of `adm` group can be a PE vector.

Also, `id` command can be run to see that we are part of `adm` group.

Being part of `adm` group, we can check out logs. So, going to /var/log and catting auth.log.2 and looking through it reveals something interesting:

Running `sudo -l` on tyler shows that we can easily escalate to root using `sudo su`.