Dav

Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
nmap -Pn 10.10.1.27

Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 80
(-oN nmap): Saving it into a file called nmap
nmap -sV -sC -p 80 -oN nmap 10.10.1.27

Enumeration
Lets visit the site

Its a default apache2 page, lets run gobuster to find hidden directories.
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.1.27/

We have a directory called /webdav
, lets go check it out.

We have to login, we do not have a username or a password, lets go look for default credentials. Looking on google , I found this article, and found a default username and password

Now lets try to login

We are logged in, lets look at the password.dav
file.

We have a username and a password.
Exploitation
After this I looked for vulnerabilities for webdav and found that we can upload a file and then get a reverse shell if we upload a reverse shell.
We can upload a file using this command, you can find a reverse shell here.
curl --user "wampp:xampp" http://10.10.1.27/webdav/ --upload-file /root/shell.php

After uploading it, refresh the page and you should see the file

Now lets start a reverse shell listener.

Now click the file on the webpage and you should get a reverse shell.

Now lets stabilize the shell.

Now you can read the user flag.

Privilege Escalation
Lets run sudo -l
to see what we can run as other users.

Looks like we can run /bin/cat, lets read the root.txt file with this

Last updated
Was this helpful?