Dav

https://tryhackme.com/room/bsidesgtdav

Nmap Scan

nmap -A -p- -T4 10.10.70.148

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Looks like we only have port 80 open and looking at the nmap results the root page redirects to the default Apache install:

Apache default page

Lets move onto directory enumeration.

Dirb

Lets run a default Dirb scan and see what we find..

---- Scanning URL: http://10.10.70.148/ ----
+ http://10.10.70.148/index.html (CODE:200|SIZE:11321)
+ http://10.10.70.148/server-status (CODE:403|SIZE:300)
+ http://10.10.70.148/webdav (CODE:401|SIZE:459) 

Looks like we have a few hits to explore. In the meantime lets run Gobusterwith a medium wordlist incase it picks anything up whilst we explore the above directories.

Running Gobuster for further enumeration

Finding credentials

Gobuster did not return anything of value so our next best step is to take a look at the /webdav/ directory.

Http-basic-auth on /webdav/ directory.

We hit a http-basic-auth login form on the directory. I tried some really basic credentials such as admin:admin and_ root:root_ and these submissions did not work. Looks like this form is our best next step as nothing else is coming up with anything.

Initially I searched for "webdav default credentials" and "webdav ubuntu credentials" I did not find any valid information so I got a little bit more specific with "apache webdav default credentials"

Head over to following link and read through the blog post and you will find some valid credentials.

helper: webdav xampp <= 1.7.3 default credentialsxforeveryman.blogspot.com

After obtaining some valid credentials we are able to login to the server.

/webdav/ directory post authorization

Inside the passwd.dav file is a username and a hash. I run the hash through John The Ripper on this and the value returned was the same password we used to authenticate with. I ran Dirb on the authenticated directory with the username:password format added to the command and this returned nothing.

With no other clear avenue of attack I decided to test using a HTTP PUT request on the directory. I started Burpsuite and added the IP address of the server to the Scope.

Adding the server IP to Scope

Ensure intercept is turned on and refresh the /webdav/ page in the browser. You should receive the following which we will need to send through to repeater.

Burp has intercepted our GET request for the /webdav/ directory.

To send the following through to repeater right click anywhere in the Raw tab and hit "Send to repeater"

We now need to change the GET request to a PUT request. All we need to do is change GET to PUT and add the file name and extension after /webdav/

Creating our PUT request

Below this we need to paste our payload code. In this instance we will be using a PHP reverse shell from pentestmoneky.net

Here we change the IP to our VPN interface and set the port. In this instance I have set port 443 as it is usually reliable for reverse shells.

Adding the PHP code from a reverse shell

All we need to go now is select "Go" and see what the response on the right says.

HTTP response for a PUT request

As we can see the HTTP response informs us the /webdav/shell.php resource has been created. Turn intercept off and refresh the directory and you should see the shell has bee uploaded.

Before we run the shell lets start a netcat listener for the specified port. In this case 443. We will need to use sudo if we are using a port from 1-1024

Starting a listener with Netcat

We can now click and on the shell.php and we should receive a reverse shell as a low privilege user.

First things first lets upgrade our shell to a python shell using the following:

python -c 'import pty; pty.spawn("/bin/bash")'

I checked the html directory and found nothing interesting. After checking home we have two users "wampp" and "merlin". We have access to merlin's home directory and from here we can find the user.txt flag and as you can see we have read permissions to the file. Grab the flag before moving on.

Reading Root

Let's start of by starting a python SimpleHTTPServer on our attacking machine so we can transfer Linpeas over. cd over to the directory containing Linpeas and run the following code:

python -m SimpleHTTPServer

Then we can run wget on the victim machine to download the Linpeas file and from here we can execute Linpeas and pipe it to tee so we can read the results when it is finished.

Running wget against the IP of our attacking machine

An interesting piece of information has been found by Linpeas:

Linpeas running 'sudo -l'

Since we can run cat as sudo we could just simply run the following command to read the root flag:

This box is now complete.