Silver Platter TryHackMe Motion Graphics Writeup | Beginner Friendly | Detailed Walkthrough | Silver-platter THM

A Detailed motion Graphics writeup for TryHackMe room Silver Platter

Kudos to the Creator of this Room →

ROOM TYPE :

Difficulty → Easy
[ Name : Silver Platter ]
This is a Free Room. Anyone can deploy virtual machines in the room
(without being subscribed)!

ROOM OBJECTIVES →

1. User Flag
2. Root Flag

Let’s Fire Up the Machine 🔥

Saving IP to Hosts File

Let’s begin with adding the ip address to the Hosts file
and give it a domain name → silverplatter.thm ( This can be anything )

echo "IP-OF-YOUR-MACHINE silverplatter.thm" | sudo tee -a /etc/hosts

Other Way :

** You can use any text editor for this , VIM , subl , etc →

nano /etc/hosts

IP-ADDRESS-OF-YOUR-MACHINE     silverplatter.thm
( Control + X and Y [yes] for saving the file ) 
Dont forget to add your machine’s ip address instead of — 
“IP-ADDRESS-OF-YOUR-MACHINE”

Creating a Folder and adding IP to the Hosts file for easy domain access

Objective 1 : What is the user flag?

Initial Reconnaissance ( Nmap Scan )

nmap -sVC silverplatter.thm -o nmap.txt

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 
                              (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 1b:1c:87:8a:fe:34:16:c9:f7:82:37:2b:10:8f:8b:f1 (ECDSA)
|_  256 26:6d:17:ed:83:9e:4f:2d:f6:cd:53:17:c8:80:3d:09 (ED25519)
80/tcp   open  http       nginx 1.18.0 (Ubuntu)
|_http-title: Hack Smarter Security
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open  http-proxy
|_http-title: Error
| fingerprint-strings: 
|   FourOhFourRequest, HTTPOptions: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Sun, 12 Jan 2025 11:44:58 GMT
|     <html><head><title>Error</title></head><body>404 - 
|                              Not Found</body></html>
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, 
|   SMBProgNeg, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|     Connection: close
|   GetRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html

There are 3 Ports Discovered in Open State →

1. Port 22 — TCP — OpenSSH 8.9p1 Ubuntu

2 . Port 80 — TCP — HTTP →

The landing page has 4 directories → Intro , Work , About and Contact

Click on the images to enlarge

Click on the images to enlarge

3. Port 8080 — TCP — Http-proxy

Port 8080 returns a 404 error

Upon checking the Contact page we find that there is a silverpeas installed on the server and a username — scr1ptkiddy is also shared with us

On doing a little research we can find that the default installationin location for silverpeas is on → http://localhost:8000/silverpeas

The URL location is shared below for the official website where the installation notes were discovered →

Silverpeas Project Web Site — Installation of Silverpeas 6

Since there is already a Port 8080 found let’s check →

http://silverplatter.thm:8080/silverpeas

A login page is found on Port 8080 /silverpeas

We only have the username scr1ptkiddies , we can either perform a brute-force attack or find other ways to get access , since this is an easy room we will solve this room in a basic way .

Let’s do a little research for default login credentials if they exists →

So we have found the default credentials for silverpeas →

SilverAdmin:SilverAdmin

Now trying to login with the Default Credentials , it didn’t give us the access

Let’s search for Silverpeas exploits using google or any other search engine of your choice

We found a useful github page →

CVE-2024–36042 — GitHub Advisory Database

We found that Silverpeas is vulnerable to an Authentication bypass exploit

It’s always adviced to refer to the resource link provided ,
and reading the article to get better a understanding of the exploit .
Resource Link →

https://gist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d

Silverpeas (up to 6.3.4) has a critical authentication bypass flaw where omitting the Password field in the login request lets you log in as any valid user.

How it works:

When we tried to Login using the Default credentials earlier ,
the url which was shown after a failed login attempt :

http://silverplatter.thm:8080/silverpeas/defaultLogin.jsp?DomainId=0&ErrorCode=1

The exploit suggests the use of the following payload for a successfully granting access as “SilverAdmin” (default super admin)

Login=SilverAdmin&Password=SilverAdmin&DomainId=0

We are going to use Burpsuite to intercept the POST request done by the login form and replacing the password placeholder and forwarding the POST request which gives us the login for the user scr1ptkiddy

For making things easy i am sharing a Motion Graphics image for better understanding →

We are now able to login to the user → scr1ptkiddy , we are now logged in as admin user , now we have to find a way to the user .

After doing a little research we found that there is a Proof of Concept exploit with the CVE-2023–47323
Resource Link →

CVEs/CVE-2023–47323 at master · RhinoSecurityLabs/CVEs

Since we are logged in as an admin access we can run the following POC

CVE-2023–47323 is a vulnerability in Silverpeas Core 6.3.1 that allows unauthorized users to access private messages by manipulating the ID parameter in the messaging system. This oversight in access control lets attackers read messages from other users, including those meant for administrators, potentially compromising sensitive information.

We are now going to change the ID parameter beginning from 1 until we get to the sensitive page or other important information

http://silverplatter.thm:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=[messageID]

http://silverplatter.thm:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=[messageID]

We are going to start from messageID 1

Motion Graphics for better understanding →

We found a User — Tim and its credentials on →

http://silverplatter.thm:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=6

We have found our SSH credentials for the username tim which will possibly lead us to our first objective and user flag

Objective 2 : What is the root flag?

Privilege Escalation to Root

After exploring we found that there is another user → Tyler and the user Tim which we are logged into is in the adm group

Let’s also do the classic sudo -l approach

We can’t do anything with the user Tim which we are currently logged in to and need to find a way to switch user to Tyler for privilege Esc.

After Googling the adm group for Linux →

The adm group in Linux is used for administrative tasks, typically granting access to system log files stored in /var/log. Members of this group can read important logs like /var/log/syslog and /var/log/auth.log, which are restricted for regular users.

We find around 3 auth.log files inside /var/log

We have to look for an entry in the auth.log for successful ssh login done by user Tyler in the past

We can check use grep command to look out for specific keywords in the auth.log files at once →

cat /var/log/auth* | grep -ai -e 'tyler' -e 'pass' -e 'ssh'

After searching through the auth log files we found the password which was used to log in as user Tyler

So we now know our user and password

Let’s try to switch the user to Tyler from Tim

We were successfully able to login using the password found from auth.log files and switched to the user Tyler

Let’s also continue our Priv Esc journey and try to find the Sudo Privileges that the user Tyler has .

Next Step to do is sudo -l for user Tyler and we found that Tyler has all the sudo privileges and can execute all commands as root . So from here we can directly switch to the super user by executing the command —
sudo su

We are Root !

Aaaaaaaaanddddddddddddddddddd we have solved this Room !

If you want to get the latest Try Hack Me writeups delivered , go ahead and follow me on Medium and also hit the notify via email

Let’s Connect on Linkedin → https://linkedin.com/in/sunnysinghverma

You can also add me Respect on — Hack The Box if you want i would really appreciate it :)

https://app.hackthebox.com/users/1585635

My TryHackMe Profile Page →

https://tryhackme.com/p/SuNnY

Hope you have enjoyed solving this room as much i did , if you did you can add a clap to this article to let me know and if you loved this article you can click clap icon upto 50 times to let me know and that will make my day 🤗
You can also follow me on medium to get more articles about CTFs and Cybersecurity in the near Future but don’t forget to hit that email notification icon right next to the follow me button

Thank you !
SuNnY

Hey There ! You can check out my TryHackMe Profile from the Link below →

SuNnY — ( TryHackMe Profile URL )