Dav

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.1.27

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 80

• (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 80 -oN nmap 10.10.1.27

Enumeration

Lets visit the site

Its a default apache2 page, lets run gobuster to find hidden directories.

gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.1.27/ 

We have a directory called /webdav, lets go check it out.

We have to login, we do not have a username or a password, lets go look for default credentials. Looking on google , I found this article, and found a default username and password

Now lets try to login

We are logged in, lets look at the password.dav file.

We have a username and a password.

Exploitation

After this I looked for vulnerabilities for webdav and found that we can upload a file and then get a reverse shell if we upload a reverse shell.

We can upload a file using this command, you can find a reverse shell here.

curl --user "wampp:xampp" http://10.10.1.27/webdav/ --upload-file /root/shell.php

After uploading it, refresh the page and you should see the file

Now lets start a reverse shell listener.

Now click the file on the webpage and you should get a reverse shell.

Now lets stabilize the shell.

Now you can read the user flag.

Privilege Escalation

Lets run sudo -l to see what we can run as other users.

Looks like we can run /bin/cat, lets read the root.txt file with this