Dav
Overview
DAV is another easy room that will show you the dangers of default credentials, using NMAP for HTTP enumeration, the power of PUT and showcases some tools such as davtest and cadaver.
Recon
nmap -vv -sV -Pn <Target IP>
With only one port being open and it being HTTP I decide to use nmap to enumerate the directories
nmap -p80 --script http-enum <Target IP>
From here we can see that we have a /webdav/ directory. Navigating to it presents us with a login prompt.
OSINT
After some searching into webdav, I discover a few tools that will help us get into the account such as the default credentials that can be found here.
Directories of webdav
Once you login with your default credentials you will find a passwd.dav file with a hash inside of it decrypted doesn't really provide much.
Davtest
In our search earlier for default credentials I came across a tool called davtest that will show what we can execute on the dav server.
$ davtest -auth usernam:password -url http://<Target IP>/webdav
Based on the results we can see that we can execute php files on the server meaning we can upload a php reverse shell.
Cadaver
Along with davtest I came across cadaver at http://www.webdav.org/cadaver/ which we will use to upload our shell with the put command.
Reverse Shell
Now that you've uploaded your shell open a listener and navigate back to the /webdav/ directory and execute your shell by clicking your file within the directory.
Stabilize Stabilize Stabilize
python -c 'import pty;pty.spawn("/bin/bash")'
cntrl + z
stty raw -echo ; fg
No comments:
Post a Comment