Silver Platter - CTF Notes
by Nicholas Coleman
- this is not a full write-up.
General
-
Their password policy requires passwords that have not been breached (they check it against the rockyou.txt wordlist).
-
IP address: 10.10.146.102
Scan:
- p - 22, 80, 8080
- http server -> nginx 1.18.0
Reconnaissance:
- Project Manager username: “scr1ptkiddy”
- for Silverpeas
- Founder: Tyler Ramsbey
- Feroxbuster directory scan on http port 80 -> nothing important
- However, port 8080 shows another story:
- there is a /website directory with subdirectories
- the /website directory is forbidden
Silverpeas login
- Attempt to use the contact details for Silverpeas
- that service is using 8080, so:
http://silverpeas.thm/silverpeas - Username is scr1ptkiddy
- Use custom wordlist to find password for silverpeas login
- Command Used:
hydra -l scr1ptkiddy -P passwords.txt silverpeas.thm -s 8080 http-post-form "/silverpeas/AuthenticationServlet:Login=^USER^&Password=^PASS^&DomainId=0:F=Login or password incorrect"- Found Password for scr1ptkiddy: [REDACTED]
Silverpeas website
Message Found:
- Tyler just asked if I wanted to play VR but he left you out scr1ptkiddy (what a jerk). Want to join us? We will probably hop on in like an hour or so.
- IDOR vulnerability.
- http://silverpeas.thm:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=6
- That URL allows me to see any messages on this site.
- ssh user found on site:
- username: tim
- password: [REDACTED]
SSH Time
- Groups:
- uid=1001(tim) gid=1001(tim) groups=1001(tim),4(adm)
- Found user tyler:
- tyler:x:1000:1000:root:/home/tyler:/bin/bash
- tyler has root, and has the same name as the founder of the company
- Snooping through I find tyler POSTGRES password:
- [REDACTED]
- Maybe this works for his user account too?
- It works!
Root
- Since Tyler has root priveleges with no password needed, privelege escalation was not hard.
- Simply entering
sudo suis all I need.
Conclusions
- I need to work on my BurpSuite skills.
- I learned how to use custom wordlists with Hydra.
- IDOR vulnerability came in handy.
- I need to work on my ability to parse through large amounts of data more efficiently.