You can find the machine there > Dav
As always let’s start with a nmap scan.
When we visit the webpage we can see the Apache2 default page, let’s run gobuster.
When we visit
/webdav asks for credentials :
WebDAV (Web Distributed Authoring and Versioning) allows users to update, upload, delete, move, copy files.
I searched for default credentials and i found :
And we’re in, now we can use
cadaver (webdav client), to upload a shell.
Now we can execute it and take shell.
Now privesc is silly, we can run
cat as root :
So let’s read the flags.