TryHackMe’s Silver Platter was released a couple of days ago and this was marked as “Easy” This is a write up of the room
Initial Reconnaissance
nmap showed a couple of ports open, 22, 80 and 8080
In the meantime, checking the IP on port 80 showed a default static HTML page with a couple of bits of information
Default webpage was uninteresting
You can right-click each image and open in new tab but path traversal etc was quickly ruled out
Port 8080 was unavailable as well
Links in the work page wasn’t much help
But the contact page looked interesting
At this point
dirb wasn’t helpful
gobuster wasn’t helpful
nmap showed nginx and ssh but they did not look vulnerable
After googling for a bit, we got a couple of hits for Silverpeas https://www.silverpeas.org/intro.html
Randomly tried Silverpeas and got a hit
Searching CVEs led me to CVE-2024-36042
https://gist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d
Which states
<copy>
Silverpeas up to and including 6.3.4 is vulnerable to a trivial authentication bypass. When authenticating, if the sender omits the password form field, the application will sign you in as the user specified without any challenge.
E.g. the standard login request will look like this:
POST /silverpeas/AuthenticationServlet HTTP/2
Host: 212.129.58.88
Content-Length: 28
Origin: https://212.129.58.88
Content-Type: application/x-www-form-urlencoded
Login=SilverAdmin&Password=SilverAdmin&DomainId=0
This will fail login (unless they have forgotten to change the default password) and you will be redirected back to the login page with an error code.
But if you remove the password field like this:
POST /silverpeas/AuthenticationServlet HTTP/2
Host: 212.129.58.88
Content-Length: 28
Origin: https://212.129.58.88
Content-Type: application/x-www-form-urlencoded
Login=SilverAdmin&DomainId=0
Then the login attempt will (usually) succeed and redirect you to the main page, now logged in as a super admin.
The bug works with any valid user, but SilverAdmin is the default super admin.
Cause
The issue was a failure in how the app handled different login methods. The code that authenticated the user by username would assume if a password had not been sent then it was a SSO-based login, where no password was required. This was patched as bug #14156, where they set an 'remotely authenticated' flag intially and check that later rather than just checking if the password value is null: github.com/Silverpeas/Silverpeas-Core/commi..
</copy>
Fired up BurpSuite and tried:
Username: SilverAdmin
Pass: test
Removing the password
And we are in
But the site in not in English
Checking, looks like there is only a cli option to change the site to English?
So that was not going to work out
Reading a bit more, came across CVE-2023-47323
https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2023-47323
<copy>
To exploit this vulnerability, an attacker can use a script or Burp Suite Intruder to view all messages by attacking the ID parameter in this URL: http://localhost:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=[messageID] - the messages begin at "1" and increase in intervals of 1.
</copy>
Trying one ID at a time
Very interesting :-)
So we get a user and a password (not including the password here!)
The mail header/subject says “SSH”
Trying the same:
And we are in
And we get our user flag
But Tim does not have Sudo rights
Checking, system was an Ubuntu 22 with kernel 5.15 vulnerable to DirtyCow https://dirtycow.ninja/
But Tim was a restricted user. There are a bunch of scripts for overwriting the SUID and /etc/passwd, but all of these need Tim to be able to run and compile C code at the very list - something the user doesn’t have the rights to
Poking around the /etc/passwd file, there seemed to be another user, Tyler
Checking the logs randomly for Tyler, we see a couple of failed login attempts, and installs of nginx and docker and right below, the password in plaintext for postgres DB and Silverpeas (not including the password here)
Randomly tried the password and was able to Su to Tyler :-)
And we have access to /root
That’s all folks!