Try Hack Me: Silver Platter CTF Challenge

Malarum,

Hello! I am going to be doing my write up for Tryhackme’s newest box Silver Platter!

As always we start of with the enumeration phase. I started by running nmap on this box and discovered 3 open ports Port 22,80, and 8080

I then went with the service and version detection

We can see that ssh, http, and an http-proxy are running as is common for these ports. Let’s check out the web page

Looks like an interesting webpages. If we check out each of the tabs here we eventually come to the contact tab and see this message:

So now we know there is a program running on this device called silver peas and we have a username of scr1ptkiddy. Let’s add these to my notes. I then did some directory enumeration but it didn’t turn up anything interesting.

Let’s try going to /silverpeas

There’s nothing here. I then went to the port 8080 on the webpage

We get a 404 page here aswell! I then tried /silverpeas on this port

Looks like we have a login page! We know that it is silverpeas so I then went and looked for silverpeas vulnerabilities

I found CVE-2024-36042. This allows for authentication bypass if we remove the password from the login request it should allow for us to bypass the authentication. let’s try that. First I loaded up burpsuite and intercepted the login request using the username I found “scr1ptkiddy”

I then removed the password from the request and forwarded it

I then turned Intercept off and now we are logged in at scr1ptkiddy!

Taking a look around the website I decided to take a look at the directory

Now I know we have 2 other users, Manager and Administrator!

I also know noticed I have a notification

We now know there is another person named Tyler on the machine. Looking around the rest of the website, I do not see anything else interesting. I tried then to login as other users. Logging in as manager now I found the following notifications:

We now have an ssh password for the user Tim! I also logged in to the SilverAdmin Account and did not find anything interesting. I then logged in as Tim via SSH and now have shell access to the box!

Typing LS we then see our first flag! user.txt

Now for privilege escalation to root. Look at times Groups I can see he is a part of the adm group which means he is able to read logs.

I then looked into the logs for credentials. I will spare you the boring parts but the juicy parts are the auth logs I searched the following:

We can see that there are some plain text credentials here that was used by Tyler to run a Postgres database. We know that often times credentials are reused so lets store those. We also know that there is user called Tyler. Let’s confirm that.

there is a user named tyler on this machine. I also checked Tylers groups and we can see he is Sudo! We have a path to Root!

We then try to login as Tyler with the password we found earlier

we are Tyler now! Now that we are Tyler we can simply Sudo su!

Now that we have root it’s as simple as going to cat /root/root.txt and we have our flag!

I hope you enjoyed this walk through of this box! Happy Hacking!

TryHackMe Writeups

Leave a Reply

Your email address will not be published. Required fields are marked *