rootđź’€senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
CTF: Tryhackme
Lab: DAV
Reconnaissance
-
Rustscan’s output
❯ rustscan -a 10.10.51.148 -- -sC -sV .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- 🌍HACK THE PLANET🌍 [~] The config file is expected to be at "/home/sensei/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.10.51.148:80 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p ") [~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-24 17:06 EDT NSE: Loaded 156 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 17:06 Completed NSE at 17:06, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 17:06 Completed NSE at 17:06, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 17:06 Completed NSE at 17:06, 0.00s elapsed Initiating Ping Scan at 17:06 Scanning 10.10.51.148 [2 ports] Completed Ping Scan at 17:06, 0.22s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 17:06 Completed Parallel DNS resolution of 1 host. at 17:06, 0.15s elapsed DNS resolution of 1 IPs took 0.15s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 17:06 Scanning 10.10.51.148 [1 port] Discovered open port 80/tcp on 10.10.51.148 Completed Connect Scan at 17:06, 0.15s elapsed (1 total ports) Initiating Service scan at 17:06 Scanning 1 service on 10.10.51.148 Completed Service scan at 17:07, 6.62s elapsed (1 service on 1 host) NSE: Script scanning 10.10.51.148. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 17:07 Completed NSE at 17:07, 13.65s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 17:07 Completed NSE at 17:07, 1.40s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 17:07 Completed NSE at 17:07, 0.00s elapsed Nmap scan report for 10.10.51.148 Host is up, received syn-ack (0.21s latency). Scanned at 2024-08-24 17:06:56 EDT for 22s PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.18 (Ubuntu) -
FFuf’s directory fuzzing
- The webdav directory requests for credentials,I google searched for web dav default creds and got one
jigsaw:jigsawbut it didn’t work. I got another another from this site which worked. The pairwampp:xamppcan also serve as default credentials for webdav.
- Web-based distributed authoring and versioning (WebDAV) is a set of extensions to the HTTP protocol that allows WebDAV clients (such as Microsoft Web Folders) to collaboratively edit and manage files on remote Web servers.We can access webdav with the linux binary
cadaveras explained in this blog
- We can add a shell to the webdav directory with the
putkeyword.
- Shell access
Privilege Escalation
- Running
sudo -lshows that we can use binary/bin/catto read files without password
- To read root, run
sudo /bin/cat /root/root.txt