DAV - A TryHackMe Writeup

DAV created by stuxnet

Start the machine and let it fully boot.

When we run an nmap scan on it we find that it only has port 80 open.

Lets take a look at the page!

We only get the default Apache2 page, looks like they haven’t replaced the default index.html file. We can try running gobuster to see if we can find any other pages that might have been added to the server.

Oh, looks like we found something interesting. Lets take a look at that page to see what we can find.

Unfortunately it only prompts for a username and password. We are unable to view the page source for this page, as it just keeps prompting for a login. Hmm. What exactly IS webdav anyway?!

Upon investigating it, we find a site here that has default credentials that we can try.

Upon login in, we get the directory of webdav

Looks like the passwd.dav file is just the hashed version of the un/pw combo we just logged in with.

So now what? We have no other directories to try since nothing of use came up on gobuster. What if we try uploading to this directory? If we research webdav exploits, metasploit has one xampp_webdav_upload_php. But we can just use curl to do it ourselves. Find a reverseshell php file, edit it for your IP and whatever port you want and then try uploading.

If we run a netcat listener on our machine and then click on the phpshell we uploaded we should get a shell

Now that we have shell we can navigate around. In the home folder we can see there is a user name merlin and in that folder we find the user flag!

If we run sudo -l we find that we can run cat with root privileges with no password. Easy enough, lets assume the root flag is in root/root.txt and we can view that with no problems.