TryHackMe DAV WriteUp

WEBSITE LINK : TRYHACKME:DAV

Firstly I scan for the service available on that IP address through NMAP scan 

-sV : To check for the service version

-v : To verbose the results

-Pn : To show the nmap that machine is already pinged and it directly can start for the scan

From the results of NMAP scan we can see that only port 80 ( web ) is open. So I paste the IP adress in the browser and it shows us the default apache server page.

So we to search for all the directories/pages. I use Gobuster for it.

From Gobuster result we can see that there is a directory webdav and having status code 401 which mean authentication failed it directly points that to access this directory we have to login.

After seeing this I googled about WebDAV login vulnerability and after a lot of search I found a website there is said that WebDAV have wampp as default user and xampp as default password so I try this and it worked.

 

Here we can see that it have one file passwd.dav and it have our default login password by which we login into the webdav directory. After this I searched for webdav vulnerability and get that we can upload files to it's server. I think if I can upload the shell and connect to it we can login into the system easily. I searched for php reverse shell and find a script on a GitHub and change some variable values like IP and upload it using curl command. 

After I started a listener on my system and we get a response from the server and we login into the system. After searching for user.txt we got in merlin home directory.

Now we have to login as root in the system. From the results of sudo -l we can see that we can run cat command as root without password. And here we got our root flag also.