Silver Platter (**pending completion on some parts)
Last updated
Last updated
The results showed that there were 3 open ports: 22, 80 and 8080.
I started off by enumerating SSH at port 22 first, to find the version number and a potential CVE.
After realizing that port 22 was least likely to be the vulnerable service (probably a rookie mistake for thinking that it was the vulnerable one in the first place :D), I went on to visit the website at port 80 instead
After running through the website with interception from Burp suite community, I viewed the sitemap generated (Target -> Site map), but didn't find any useful information.
After reading through the text content present, a particular term: silverpeas, and the username scr1ptkiddy caught my eye. I decided to research about it.
Silverpeas is a ...
From the results obtained in nmapabove, I tried to lookup for CVEs related to the particular version of nginx the web server is running: nginx 1.18.0.
...
From a quick on Google, I gathered various URL paths that are commonly used on a silverpeas application. Using the target IP and port 80 as the main host, I tried visiting the brief list of paths listed below:
/portal
/portal/login
admin
/portal/admin
/silverpeas
/silverpeas/portal
...
All the paths returned status code 404 (Not found).
I decided to start trying to play around with port 8080 instead. I visited the website at port 8080 while behind a Burp suite community proxy. After running a quick nmap scan, the results shows that it is running a http-proxy.
I went on to try visiting the paths I tried on port 80 previously, and got a positive result for /silverpeas (redirection to a login page instead of status code 404).
I decided to run a quick directory gathering scan on the found URL path with gobuster. I utilized a few different word-lists found on Kali Linux, along with a few popular ones that is not part of the default installation:
a) /usr/share/wordlists/wfuzz/general/common.txt
b) /usr/share/wordlists/dirb/common.txt
c) DanielMiessler's SecLists (https://github.com/danielmiessler/SecLists)
I found a few positive results ...
Searching for CVEs and exploits relating to JSP/2.3
From the X-powered-by response headers, ...
I tried using a few Metasploit payloads:
a) exploit/multi/http/struts_include_params
b) expoit/multi/http/struts2_content_type_ognl
Inspecting source code
...
After much research, I came across a vulnerability listing regarding silverpeas authentication bypass:
...
...
...
After playing around with the website at port 8080, I returned to Burp suite and looked through the gathered URLs. I found a POST request to a path with the AuthenticationServlet word present, this prompted me to test out the vulnerability I have found previously.
I sent the request to the Burp suite repeater and modified the request to remove the Password field:
Or with cURL:
Notice that the Login field (presumably the username section) has the value scr1ptkiddy, which was found in step 2 (enumerating port 80).
The response is as follows:
Notice that the server returned the following URL value in the Location header:
http://<target-url>:8080/silverpeas/Main//look/jsp/MainFrame.jsp
The following cookies are found from the Set-Cookie response headers from the request above, and must be set in the browser (under the Console tab for Google Chrome) for the dashboard to load. If not set, the page will redirect back to the login page (** the cookie seems to bet set automatically when using the proxy browser):
I visited the URL, and was navigated to a dashboard at the following URL:
http://<target-url>:8080/silverpeas/look/jsp/MainFrame.jsp
tim
cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol
Method 1: CVE 2023-47323
Note that this method is ran as the regular user scr1ptkiddy.
Through the proof-of-concept detailed in the link above, I iterated through the URL with different ID values. I found that the ID value of 6 displays the SSH credentials:
http://10.10.105.62:8080/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=6
Testing the results with wfuzz:
The results from wfuzz showed a bunch of results with the content length (under the Chars header in the output) of 13201 and 13202. Thus, I decided to filter the results to only show those response with more than 13202 characters. (using the --filter flag):
The results will either display 2-3 responses, or a single response. By now, it should be clear from the results that the payload value of 6 have the highest content length.
Method 2: Reading the plain-text SSH password in message notification as the user "Manager"
I explored the page and found that there is another user named Manager, and an administrator named Administrateur. I tried logging in as the administrator by replacing the Login data field in the POST request with the values: administrator, Administrator, administrateur and Administrateur. The response simply returned the login page URL in the Location response headers - indicating a failed login attempt:
I tried to login as the user Manager instead, and received a similar response headers value as before:
The only difference in the response is that the svpLogin field in the Set-Cookie cookie changed to Manager, and a different JSESSIONID was returned. The Location response headers was the same as with the user scr1ptkiddy (.../silverpeas/Main//look/jsp/MainFrame.jsp).
After setting the cookie values on the browser console the same way as before, I navigated to the URL (in the Location field of the response headers), and was presented with a dashboard as the user Manager. I went on to read the message notifications and found the SSH credentials in plain-text.
Experimenting with CeWL
1. Generating a custom word list
Note: Run against port 80 (Main website) instead of the Silverpeas application at port 8080.
2. Utilizing ffuf to use the generated passwords word list to crack the password for the scr1ptkiddy user.
A bulk of the responses from ffuf appears to have the same status, size, words and lines (as shown from the output format). Thus, I tried a few methods to possibly filter a positive response:
Match status codes 200-209
-mc 200,209
This option does not work. It seems that a positive response also returns the same status code as the negative responses.
Filter regular expression patterns present in response
-fr "ErrorCode"
Other possible options
-fr "Login" - does not work since the word Login is present in the positive response
-fr "Login\?" - Matches the pattern Login?, which is only present in the negative responses
This option works to return a positive match for the password: adipiscing. Using the found password with the username scr1ptkiddy allows us to login to the dashboard. The method to retrieve the SSH credentials (refer to the details above - CVE 2023-47323) can be applied as the newly authenticated user.
Other CVEs to explore:
After running a few enumeration commands (https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking/privilege-escalation/linux/enumeration), I found out that the current user (tim) is in the adm group through the id command.
The adm group permissions allows the current user to read some files in the /var/log file. These files may contain sensitive log information, and are usually not readable by common users.
Found in /var/log/auth.log.2:
Dec 13 15:45:57 silver-platter sudo: tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=10 -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database silverpeas:6.3.1
I tried to access the Postgresql database, but it appears that the common CLI tools associated with Postgesql is not installed on the system.
Instead, I tried the found password: _Zd_zx7N823/ on the user tyler via SSH, and voila it worked!
After gaining a shell with the user tyler, I ran a few commands to check the privileges of this user. It appears the this user can run all commands with sudo privileges. Using the command sudo su root, I have gained root access.
To further my learning, I decided to continue enumerating the system as the user tim, and try to find other privilege escalation vectors.
a) /snap/core20/1974/usr/lib/openssh/ssh-keysign
/snap/core20/2264/usr/lib/openssh/ssh-keysign
are found to call a file with error: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory
Adding the file to /tmp after appending/tmp to $SHELL does not work, and the directory: /snap/core20/[1974/2264]/usr/lib/openssh/is not writable too
b) /snap/core20/2264/usr/bin/sudo: error while loading shared libraries: libsudo_util.so.0: cannot open shared object file: No such file or directory
files looks for shared libraries at LD_LIBRARY_PATH env variable instead of PATH
Perhaps after fixing the issue of running /snap/core20/2264/usr/bin/sudo (creating fake shared library, etc.), use the sudo binary to run sudo actions
It seems that we have rxw permissions for the libsudo_util.so.0 binary found
/usr/bin/mount with SUIDRun mountable share (NFS) on attacker hosting shellcode with SUID bit, mount the share from target and execute
Tried to run NFS server on attacker: https://linuxize.com/post/how-to-install-and-configure-an-nfs-server-on-ubuntu-20-04/
There were 3 mount binaries found with SUID bit. When trying to mount the share from the attacker machine, we got the error: ...
/var/log/installer/autoinstall-user-data (? TO CHECK CORRECT PATH)Found hashed password: $6$uJuA1kpnd4kTFniw$/402iWwKzcYD8AMHG6bY/PXwZWOkrrVmtoO7qQpfvVLh1CHmiKUodwMGP7/awDYtrzpDHV8cNbpS1HJ6VMakN.
According to the room description, the system has a strong password policy. Thus, it will be really difficult and non-viable to try a password brute-force cracking attempt on this hash.
It seems that there is only 1 vector for privilege escalation.
