Dav Tryhackme Writeup [Detailed]

Dav Tryhackme

Dav is an Easy machine in TryHackMe in which we’ll use basic enumeration, learn more about WebDAV and how to exploit it to gain access to the server.

About WebDAV : WebDAV (Web Distributed Authoring and Versioning) is a set of extensions to the Hypertext Transfer Protocol (HTTP). It allows users to collaborate on and edit files stored on remote servers. WebDAV enables a web server to act as a file server, allowing authors to collaborate on web content.

Enumeration

First thing first goes the enumeration part. scanned a basic scan with nmap for open ports

$~ nmap 10.10.123.191

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    |_http-title: Apache2 Ubuntu Default Page: It works

Only port that was open is port 80 (http)

Upon browsing port 80 we get a default apache page

Port 80

Now we are looking for directory enumeration

ffuf

ffuf found a hidden directory /webdav but it requires authentication for access

webdav

upon checking google about webdav, i found a blog in which they gives default credentials for webdav here

Guess what? It worked with wampp:xampp

Gaining access [Post Exploitation]

webdav

webdav index gave us a password file with a hash. we don’t need that since we got acess to the server . Now things are quite easy , we only need to put a reverse shell in to the server. let’s do it

We are using cadaver tool for this

cadaver is a tool which is used for exploiting webdav, which is a CLI WebDAV client for Unix . You can find more about cadaver tool here

cadaver

Now we will try to upload a reverse shell

For PHP reverse shells, I usually use this one. So I download it, replace the IP and port and send it to the server:

we succeeded in uploading reverse shell.

revshell

So, before clicking on the script file, let’s start listening for connections in the port we used previously in the PHP script:

nc -lvnp 1234

now click the reverse shell for connection

shell

Got it !!!!

Now we can read user flag

user.txt

user.txt is located in /home/merlin/user.txt

Previlege Escalation

Now comes the exciting part. Let’s Root the machine

Checking our privileges with sudo -l reveals that we can cat any file with sudo without password. Now let’s get the root flag:

Now read the root flag

root.txt

And Finally Done !

Conclusion

This was a fun and pretty straightforward machine to exploit. It was cool to know a little more about WebDAV and how to use it. A good lesson to carry for life is: to change the default credentials as soon as possible!

I hope you learn somthing from my writeup , feel free to connect with me by twitter ❤

See you in the next writeup

happy hacking !

-n0rmh3ll