# Dav

![](/files/-McL3Nc85Vjx7PKe8H5e)

## Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**)

```
nmap -Pn 10.10.1.27
```

![](/files/-McL3kaNaiUd0TFzCD-e)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 80
* (**-oN nmap**): Saving it into a file called nmap

```
nmap -sV -sC -p 80 -oN nmap 10.10.1.27
```

![](/files/-McL4DfVADBd-ZOakAmx)

## Enumeration

Lets visit the site

![](/files/-McL4_sRBBjBlDK8Zbzg)

Its a default apache2 page, lets run gobuster to find hidden directories.

```
gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.1.27/ 
```

![](/files/-McL6AE4we71Ln_lj5Kz)

We have a directory called `/webdav`, lets go check it out.

![](/files/-McL6JkylQ_BziOkSysA)

We have to login, we do not have a username or a password, lets go look for default credentials. Looking on google , I found this [article](http://xforeveryman.blogspot.com/2012/01/helper-webdav-xampp-173-default.html), and found a default username and password

![](/files/-McL6hROVrJVoxMrrtDv)

Now lets try to login

![](/files/-McL6skmUVOSzLhbQfyq)

We are logged in, lets look at the `password.dav` file.

![](/files/-McL6zKeEl1pPNylwKWU)

We have a username and a password.

## Exploitation

After this I looked for vulnerabilities for webdav and found that we can upload a file and then get a reverse shell if we upload a reverse shell.

We can upload a file using this command, you can find a reverse shell [here](https://github.com/pentestmonkey/php-reverse-shell).

```
curl --user "wampp:xampp" http://10.10.1.27/webdav/ --upload-file /root/shell.php
```

![](/files/-McL91Lf32Hx-BgXYgOl)

After uploading it, refresh the page and you should see the file

![](/files/-McL9OkAwLOXXLPsl7KN)

Now lets start a reverse shell listener.

![](/files/-McL9UpNcgQ9cqcxAS8i)

Now click the file on the webpage and you should get a reverse shell.

![](/files/-McL9dQ0JOW2sp6ISpAM)

Now lets stabilize the shell.

![](/files/-McL9vM6fk7c9sYKQJ3z)

Now you can read the user flag.

![](/files/-McLA9Y3zBj4_HQKTVaa)

## Privilege Escalation

Lets run `sudo -l` to see what we can run as other users.

![](/files/-McLANo7y8NId4cf_UCb)

Looks like we can run /bin/cat, lets read the root.txt file with this

![](/files/-McLAY9XWNje8w0_oQFW)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/dav.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.