We start with an Nmap scan and find three open ports. Port 22 on which we have SSH available, port 80 to an nginx web server and port 8080 to another web server.
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -sT -p 22,80,8080 silverplatter.thm -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 12:26 IST
Nmap scan report for silverplatter.thm (10.10.232.52)
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 1b:1c:87:8a:fe:34:16:c9:f7:82:37:2b:10:8f:8b:f1 (ECDSA)
|_ 256 26:6d:17:ed:83:9e:4f:2d:f6:cd:53:17:c8:80:3d:09 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Hack Smarter Security
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open http-proxy
|_http-title: Error
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Connection: close
| Content-Length: 74
| Content-Type: text/html
| Date: Mon, 17 Feb 2025 06:56:38 GMT
| <html><head><title>Error</title></head><body>404 - Not Found</body></html>
| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SMBProgNeg, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Length: 0
| Connection: close
| GetRequest, HTTPOptions:
| HTTP/1.1 404 Not Found
| Connection: close
| Content-Length: 74
| Content-Type: text/html
| Date: Mon, 17 Feb 2025 06:56:37 GMT
|_ <html><head><title>Error</title></head><body>404 - Not Found</body></html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=2/17%Time=67B2DDA4%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,C9,"HTTP/1\.1\x20404\x20Not\x20Found\r\nConnection:\x20clos
.............
SF:n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.34 seconds
While enumerating directories with Feroxbuster on the web server running on port 80, we did not discover any notable or useful results.
┌──(kali㉿kali)-[~]
└─$ feroxbuster -u 'http://silverplatter.thm/' -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://silverplatter.thm/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 7l 12w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 7l 12w 178c http://silverplatter.thm/images => http://silverplatter.thm/images/
200 GET 137l 408w 15151c http://silverplatter.thm/images/pic03.jpg
200 GET 2l 52w 2051c http://silverplatter.thm/assets/js/browser.min.js
200 GET 587l 1232w 12433c http://silverplatter.thm/assets/js/util.js
200 GET 401l 738w 8435c http://silverplatter.thm/assets/js/main.js
200 GET 2l 87w 2439c http://silverplatter.thm/assets/js/breakpoints.min.js
200 GET 37l 80w 572c http://silverplatter.thm/assets/css/noscript.css
200 GET 1657l 3577w 34353c http://silverplatter.thm/assets/css/main.css
200 GET 2l 1294w 89501c http://silverplatter.thm/assets/js/jquery.min.js
403 GET 7l 10w 162c http://silverplatter.thm/assets/
403 GET 7l 10w 162c http://silverplatter.thm/assets/js/
403 GET 7l 10w 162c http://silverplatter.thm/assets/css/
301 GET 7l 12w 178c http://silverplatter.thm/assets => http://silverplatter.thm/assets/
200 GET 3507l 19364w 1579223c http://silverplatter.thm/images/pic02.jpg
200 GET 8018l 46906w 3648400c http://silverplatter.thm/images/pic01.jpg
200 GET 345l 1180w 14124c http://silverplatter.thm/
301 GET 7l 12w 178c http://silverplatter.thm/assets/css => http://silverplatter.thm/assets/css/
301 GET 7l 12w 178c http://silverplatter.thm/assets/js => http://silverplatter.thm/assets/js/
[###>----------------] - 2m 185329/1038159 8m found:18 errors:0
301 GET 7l 12w 178c http://silverplatter.thm/assets/sass => http://silverplatter.thm/assets/sass/
301 GET 7l 12w 178c http://silverplatter.thm/assets/sass/layout => http://silverplatter.thm/assets/sass/layout/
301 GET 7l 12w 178c http://silverplatter.thm/assets/sass/components => http://silverplatter.thm/assets/sass/components/
301 GET 7l 12w 178c http://silverplatter.thm/assets/sass/base => http://silverplatter.thm/assets/sass/base/
301 GET 7l 12w 178c http://silverplatter.thm/assets/sass/libs => http://silverplatter.thm/assets/sass/libs/
[##################>-] - 14m 1902644/2076304 0s found:23 errors:3
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_silverplatter_thm_-1739777048.state ...
[##################>-] - 14m 1902688/2076304 0s found:23 errors:3
[####################] - 12m 207629/207629 293/s http://silverplatter.thm/
On the web server running on port 8080, we discover two directories: /website and /console. Both seem intriguing, but /console redirects to a static nodirect.html page, and /website redirects to /website/, which is restricted with a "Forbidden" error.
┌──(kali㉿kali)-[~]
└─$ feroxbuster -u 'http://silverplatter.thm:8080/' -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://silverplatter.thm:8080/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 1l 4w 74c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302 GET 0l 0w 0c http://silverplatter.thm:8080/website => http://silverplatter.thm:8080/website/
404 GET 1l 2w 68c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
302 GET 0l 0w 0c http://silverplatter.thm:8080/console => http://silverplatter.thm:8080/noredirect.html
[####################] - 12m 415258/415258 0s found:2 errors:0
[####################] - 12m 207629/207629 297/s http://silverplatter.thm:8080/
[####################] - 12m 207629/207629 297/s http://silverplatter.thm:8080/website/
We look at the page manually on port 80.
Under the Contact section, we identify a potential user listed as the project manager for Silverpeas.
On the website on port 8080 we find nothing on the index page and /website redirects us to /website/, which is forbidden.
Multiple 403 bypass techniques and automated scripts proved ineffective. Given the username and a hint of potential brute-forcing in the room description, we attempted basic authentication brute-forcing using Hydra, but this also failed.
Initial Access
However, the contact form reference to Silverpeas proves useful. Entering it as a directory at http://silverplatter.thm:8080/ results in a hit—a Silverpeas login page. While there are known CVEs for Silverpeas, they are not required for this challenge.
http://silverplatter.thm:8080/silverpeas
Now we capture a log in request to craft our hydra command.
We forward the intercepted login request to capture the server's invalid response message, which can help us identify any clues or patterns to fine-tune our brute-force attack.
We are able to log in as scr1ptkiddy at Silverpeas.
After logging in as scr1ptkiddy, we notice a single notification displayed on the dashboard.
In the personal workspace, we can inspect our notifications.
Shell as Tim
We intercept the request of inspecting the message and see that an ID is queried, here ID 5.
Upon discovering an IDOR (Insecure Direct Object Reference), we exploit it to inspect the messages of other users. In particular, we find that the message with ID 6 contains the SSH credentials for the user tim.
Next, we use those credentials to log in via SSH.
We find the user flag in the home directory of the user tim.
Privilege Escalation
By examining Tim's group memberships, we find that he is part of the adm group, which grants him access to view logs located in /var/logs. This could potentially contain sensitive information that might help us escalate privileges further.
There is also the user tyler.
Shell as Tyler
So lets search for entries of the user tyler.
And we do find some database credentials. Maybe they are reused.
We successfully switched to the user tyler using those credentials.
The user is granted permission to run any command as root without a password. We use sudo su to switch to root, navigate to the root directory, and find the final flag.
