Dav Tryhackme Writeup [Detailed]
Dav is an Easy machine in TryHackMe in which we’ll use basic enumeration, learn more about WebDAV and how to exploit it to gain access to the server.
About WebDAV : WebDAV (Web Distributed Authoring and Versioning) is a set of extensions to the Hypertext Transfer Protocol (HTTP). It allows users to collaborate on and edit files stored on remote servers. WebDAV enables a web server to act as a file server, allowing authors to collaborate on web content.
Enumeration
First thing first goes the enumeration part. scanned a basic scan with nmap for open ports
$~ nmap 10.10.123.191
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Only port that was open is port 80 (http)
Upon browsing port 80 we get a default apache page
Now we are looking for directory enumeration
ffuf found a hidden directory /webdav
but it requires authentication for access
upon checking google about webdav, i found a blog in which they gives default credentials for webdav here
Guess what? It worked with wampp:xampp
Gaining access [Post Exploitation]
webdav index gave us a password file with a hash. we don’t need that since we got acess to the server . Now things are quite easy , we only need to put a reverse shell in to the server. let’s do it
We are using cadaver tool for this
cadaver is a tool which is used for exploiting webdav, which is a CLI WebDAV client for Unix . You can find more about cadaver tool here
Now we will try to upload a reverse shell
For PHP reverse shells, I usually use this one. So I download it, replace the IP and port and send it to the server:
we succeeded in uploading reverse shell.
So, before clicking on the script file, let’s start listening for connections in the port we used previously in the PHP script:
nc -lvnp 1234
now click the reverse shell for connection
Got it !!!!
Now we can read user flag
user.txt is located in /home/merlin/user.txt
Previlege Escalation
Now comes the exciting part. Let’s Root the machine
Checking our privileges with sudo -l
reveals that we can cat
any file with sudo
without password. Now let’s get the root flag:
Now read the root flag
And Finally Done !
Conclusion
This was a fun and pretty straightforward machine to exploit. It was cool to know a little more about WebDAV and how to use it. A good lesson to carry for life is: to change the default credentials as soon as possible!
I hope you learn somthing from my writeup , feel free to connect with me by twitter ❤
See you in the next writeup
happy hacking !
-n0rmh3ll