THM-Dav-Writeup
boot2root machine for FIT and bsides guatemala CTF
Find This Room: Dav
Recon:
I started with an nmap scan against the IP provided.
$ sudo nmap -A -O -sC -sV <machine_IP>
One port shown from nmap scan
I scanned for directories after checking the webpage since it was the default Apache server page.
Gobuster showed:
Highlighted directory of interest
When visiting that page, a login page popped up. Naturally, I tried all the basic credential combos but no luck..
Vulnerability Assessment/Exploitation:
I looked up the default credentials and found two sets. One was jigsaw:jigsaw which didn’t work.
The other that I found was wampp:xampp and that worked!
I was using a tool called cadaver when logging in.
$ cadaver http://<machine_IP>/webdav
CLI login for webdav
Found an interesting file that looks to have a hash, so I’ll try to crack that with John.
After trying numerous ways to crack this without luck I decided to try another method to get in.
I uploaded a reverse shell to the /webdav directory using cadaver and was able to get in that way instead.
Uploading reverse php shell
Proof of reverse shell as www-data
I checked the home directory to find the user flag and grabbed that from the user Merlin.
Proof of user.txt flag
Before trying to escalate privileges, I wanted to see if there was anything I could run as root and see what kind of cronjobs there were.
No luck on the cronjobs, however, what I could run as root was more than enough!
$ sudo -l
What the user can run as root
Time to grab that root flag and pwn the box!
Proof of root.txt flag
Support My Writeup
