📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Reconnaissance
  • Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Dav

PreviousAnonforceNextGLITCH

Last updated 3 years ago

Was this helpful?

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.1.27

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 80

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 80 -oN nmap 10.10.1.27

Enumeration

Lets visit the site

Its a default apache2 page, lets run gobuster to find hidden directories.

gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.1.27/ 

We have a directory called /webdav, lets go check it out.

Now lets try to login

We are logged in, lets look at the password.dav file.

We have a username and a password.

Exploitation

After this I looked for vulnerabilities for webdav and found that we can upload a file and then get a reverse shell if we upload a reverse shell.

curl --user "wampp:xampp" http://10.10.1.27/webdav/ --upload-file /root/shell.php

After uploading it, refresh the page and you should see the file

Now lets start a reverse shell listener.

Now click the file on the webpage and you should get a reverse shell.

Now lets stabilize the shell.

Now you can read the user flag.

Privilege Escalation

Lets run sudo -l to see what we can run as other users.

Looks like we can run /bin/cat, lets read the root.txt file with this

We have to login, we do not have a username or a password, lets go look for default credentials. Looking on google , I found this , and found a default username and password

We can upload a file using this command, you can find a reverse shell .

article
here