Skip to content

Silver Platter -- TryHackMe (write-up)

Difficulty: Easy Box: Silver Platter (TryHackMe) Author: dsec Date: 2025-08-20

TL;DR

Generated password list with cewl, logged into Silverpeas. IDOR on notification IDs leaked SSH creds. Pivoted to tyler via log grep (adm group). Tyler had sudo root.

Target info

  • Host: 10.10.21.22
  • Services discovered: 22/tcp (ssh), 80/tcp (http), 8080/tcp (http-proxy)

Enumeration

Nmap results

Web page

Quick scan:

Quick scan

More enumeration

Service enum

Fuzzed port 8080:

Fuzz 8080

Guessed /silverpeas:

Silverpeas login

Generated password list from the website with cewl (rockyou didn't work):

cewl 10.10.21.22 > passwords.txt

cewl results

Top password worked:

Login success

Exploitation

Found an IDOR -- changed notification ID=5 to ID=6:

IDOR

  • tim:cm0nt!md0ntf0rg3tth!spa$$w0rdagainlol

SSH as tim

Lateral movement

Ran LinEnum:

LinEnum

Groups

  • adm group means can read logs in /var/log

Searched logs for tyler:

cd /var/log && grep -iR tyler

Grep results

Password found

  • Password: _Zd_zx7N823/

Privilege escalation

su tyler

Root shell

Lessons & takeaways

  • Use cewl to generate passwords from the target website when rockyou fails
  • Watch for IDORs when reading messages/notifications -- increment the ID
  • adm group (id command) allows reading /var/log -- grep for usernames to find creds
  • Fuzz non-standard ports (8080) for hidden directories