# Dav ## Nmap Scan ``` nmap -A -p- -T4 10.10.70.148 PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works ``` Looks like we only have port 80 open and looking at the `nmap` results the root page redirects to the default Apache install: ![Apache default page](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-73e43cc02287809fd27f6e6d7975c072eb20af70%2Fimage.png?alt=media) Lets move onto directory enumeration. ## Dirb Lets run a default `Dirb` scan and see what we find.. ``` ---- Scanning URL: http://10.10.70.148/ ---- + http://10.10.70.148/index.html (CODE:200|SIZE:11321) + http://10.10.70.148/server-status (CODE:403|SIZE:300) + http://10.10.70.148/webdav (CODE:401|SIZE:459) ``` Looks like we have a few hits to explore. In the meantime lets run `Gobuster`with a medium wordlist incase it picks anything up whilst we explore the above directories. ![Running Gobuster for further enumeration](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-03bebfbd0fd11bb2c4acb9837b0736ce47744208%2Fimage.png?alt=media) ## Finding credentials `Gobuster` did not return anything of value so our next best step is to take a look at the `/webdav/` directory. ![Http-basic-auth on /webdav/ directory.](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a149398b3475f60bc1c24cb9ac7d9e084eba0547%2Fimage.png?alt=media) We hit a http-basic-auth login form on the directory. I tried some really basic credentials such as *admin:admin* and\_ root:root\_ and these submissions did not work. Looks like this form is our best next step as nothing else is coming up with anything. Initially I searched for "webdav default credentials" and "webdav ubuntu credentials" I did not find any valid information so I got a little bit more specific with "apache webdav default credentials" ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-eab6412369bae7a200c02bd0d3d9ca0aed05b90a%2Fimage.png?alt=media) Head over to following link and read through the blog post and you will find some valid credentials. {% embed url="" %} After obtaining some valid credentials we are able to login to the server. ![/webdav/ directory post authorization](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2b2c274f6bb952589e111f451cfa810f4e8b8acb%2Fimage.png?alt=media) Inside the passwd.dav file is a username and a hash. I run the hash through `John The Ripper` on this and the value returned was the same password we used to authenticate with. I ran `Dirb` on the authenticated directory with the username:password format added to the command and this returned nothing. With no other clear avenue of attack I decided to test using a HTTP PUT request on the directory. I started `Burpsuite` and added the IP address of the server to the Scope. ![Adding the server IP to Scope](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4159d03e66124a3eb21826d32653e70cbcc05d17%2Fimage.png?alt=media) Ensure intercept is turned on and refresh the `/webdav/` page in the browser. You should receive the following which we will need to send through to repeater. ![Burp has intercepted our GET request for the /webdav/ directory.](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-94ca6f3c6bc775ca147a818882859dabd2ab563a%2Fimage.png?alt=media) {% hint style="info" %} To send the following through to repeater right click anywhere in the Raw tab and hit "Send to repeater" {% endhint %} We now need to change the GET request to a PUT request. All we need to do is change `GET` to `PUT` and add the file name and extension after `/webdav/` ![Creating our PUT request](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7bf1919c5bdf0fa53fe3c93777d54a240ad1e41d%2Fimage.png?alt=media) Below this we need to paste our payload code. In this instance we will be using a PHP reverse shell from [pentestmoneky.net](http://pentestmonkey.net) Here we change the IP to our VPN interface and set the port. In this instance I have set port 443 as it is usually reliable for reverse shells. ![Adding the PHP code from a reverse shell](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-92c0d74620b07c52d9ec55a1c4d6cae0b52d8839%2Fimage.png?alt=media) All we need to go now is select "Go" and see what the response on the right says. ![HTTP response for a PUT request](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2902a107ab537951c7d0c4b203167b41f9851f3a%2Fimage.png?alt=media) As we can see the HTTP response informs us the /webdav/shell.php resource has been created. Turn intercept off and refresh the directory and you should see the shell has bee uploaded. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3801d096a57fca20551c24cf9cf1f53251010b3b%2Fimage.png?alt=media) Before we run the shell lets start a `netcat` listener for the specified port. In this case 443. We will need to use sudo if we are using a port from 1-1024 ![Starting a listener with Netcat](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e5166615bca442e5eb2a40e97aa53f6f57d6702c%2Fimage.png?alt=media) We can now click and on the shell.php and we should receive a reverse shell as a low privilege user. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6436b536386530d7eab8ae9688cd671e91041f25%2Fimage.png?alt=media) First things first lets upgrade our shell to a python shell using the following: ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` I checked the html directory and found nothing interesting. After checking home we have two users "wampp" and "merlin". We have access to merlin's home directory and from here we can find the user.txt flag and as you can see we have read permissions to the file. Grab the flag before moving on. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e3396e499de8574803f45d7bf96d75e9da41b517%2Fimage.png?alt=media) ## Reading Root Let's start of by starting a python SimpleHTTPServer on our attacking machine so we can transfer Linpeas over. `cd` over to the directory containing Linpeas and run the following code: ``` python -m SimpleHTTPServer ``` Then we can run `wget` on the victim machine to download the Linpeas file and from here we can execute Linpeas and pipe it to tee so we can read the results when it is finished. ![Running wget against the IP of our attacking machine](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-756a57f06164e9380267c5bf1b4bf7d552d44248%2Fimage.png?alt=media) An interesting piece of information has been found by Linpeas: ![Linpeas running 'sudo -l'](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-1a2c0d22a72232809d9588854dfe01cbe18c14f3%2Fimage.png?alt=media) Since we can run cat as sudo we could just simply run the following command to read the root flag: ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2087383633196a9a35f5854200f0e64f67a4c09b%2Fimage.png?alt=media) This box is now complete.