Cybersecurity

TryHackMe — Dav Walkthrough

A walkthrough with my tactics, techniques, and procedures.

Scanning:

I started with an nmap scan against the IP provided.

$ sudo nmap -A -O -sC -sV <machine_IP>

One port shown from nmap scan

I scanned for directories after checking the webpage since it was the default Apache server page.

Gobuster showed:

Highlighted directory of interest

When visiting that page, a login page popped up. Naturally, I tried all the basic credential combos but no luck..

Vulnerability Assessment/Exploitation:

I looked up the default credentials and found two sets. One was jigsaw:jigsaw which didn’t work.

The other that I found was wampp:xampp and that worked!

I was using a tool called cadaver when logging in.

$ cadaver http://<machine_IP>/webdav

CLI login for webdav

Found an interesting file that looks to have a hash, so I’ll try to crack that with John.

After trying numerous ways to crack this without luck I decided to try another method to get in.

I uploaded a reverse shell to the /webdav directory using cadaver and was able to get in that way instead.

Uploading reverse php shell

Proof of reverse shell as www-data

I checked the home directory to find the user flag and grabbed that from the user Merlin.

Proof of user.txt flag

Before trying to escalate privileges, I wanted to see if there was anything I could run as root and see what kind of cronjobs there were.

No luck on the cronjobs, however, what I could run as root was more than enough!

$ sudo -l

What the user can run as root

Time to grab that root flag and pwn the box!

Proof of root.txt flag

Reporting:

It is strongly encouraged to change/remove the default credentials for any type of software/app where a login field is present.

Also, sanitization needs to be utilized so that if an attacker were to gain a foothold, things that were uploaded or entered were checked first.