https://tryhackme.com/room/silverplatter

Keyword: Silverpeas, Privilege Escalation

Thank you very much https://medium.com/@The_Hiker/silver-platter-tryhackme-walkthrough-thehiker-1dd6a014f3b4!

Tips: Don’t use the free AttackBox offered by TryHackMe! Instead, use the OpenVPN solution to access TryHackMe’s local network and feel free to experiment without limits!

1. Recon

As with other challenges, the first step is to run nmap to scan for all opened port. The command is nmap -sC -sV 10.10.165.51

We found 3 open ports, 22, 80, and 8080. Port 22 is SSH and we need a password to access SSH.

image.png

We gathered some information: this system run Ubuntu and the web server uses an Nginx proxy.

Open browser and navigate to http://10.10.165.51, but nothing was found. However, if you go to About page, you’ll see a hint that this system uses Silverpeas.

Also navigate to http://10.10.165.51:8080, you receive a 404 error.

Using dirsearch to scan for subdirectories on each website, we discovered something strange. On port 8080, we found some subdirectories, but they just redirect to /noredirect.html, which also returns nothing.

image.png

Is this the end? No, this is an Easy box!

2. Attack Silverpeas

What about http://10.10.165.51:8080/Silverpeas? Yes, it takes us to Silverpeas login page. Trying default credentials SilverAdmin/SilverAdmin doesn’t work.

image.png

Is this the end? No!

Looking at the line below, we see that this page updates up to 2022. Since the service has not been updated, it appears that the latest version dates back to 2022. Therefore, CVEs from 2023 might be exploitable.