0n1zuka

0n1zuka

Silver Platter

2 min read

Enumeration

I started by enumerating ports with nmap and found three open ports:

  • 80 → HTTP
  • 22 → SSH
  • 8080 → HTTP proxy (suspicious)

On port 80, I discovered some useful information in the “Contact” section:

If you’d like to get in touch with us, please reach out to our project manager on Silverpeas. His username is “scr1ptkiddy”.

After a quick search, I learned that Silverpeas is a project-sharing platform, typically hosted at <ip>:8080/silverpeas.

Exploiting Silverpeas

Visiting that URL revealed a Silverpeas login page.
While researching, I found a known vulnerability in the login form: Silverpeas login bypass.

The trick is simple: in the POST request, if you remove the Password parameter, you can log in directly as any valid user.

Once inside, I noticed an administrator account (with a fondness for French), using the default ID/username SilverAdmin.
With this account, I gained access to the messages section, where I found the following credentials:

Dude how do you always forget the SSH password? Use a password manager and quit using your silly sticky notes.
 
Username: tim
Password: cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol

User Access

Using these credentials, I successfully logged in via SSH as tim and obtained the user.txt flag. While exploring, I noticed that tim belonged to the adm group, which has permission to read system log files in /var/log.

Privilege Escalation

I searched the log files for useful information with keywords such as password, tyler (another user with sudo privileges), root, or CRON. The only interesting hit came from searching for tyler:

find /var/log -group adm -exec grep "tyler" {} \; 2>/dev/null

This revealed the following log entry:

Dec 13 15:45:57 silver-platter sudo[2616]:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd_zx7N823/ -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database silverpeas:6.3.1

From this, I extracted a possible password: _Zd_zx7N823/ Initially, I tried to use it for accessing the database, but psql wasn’t installed on the target machine, and the database wasn’t exposed externally.
So, I tried the password for the user tyler — and it worked!

Once logged in as tyler, I confirmed that he had sudo privileges, which allowed me to read the final root.txt flag.

Graph View