This is another vulnerable by design machine, released on Try Hack Me.
We’ll learn to use cadaver, upload the shell, access the shell so we can receive the reverse connection and the escalate our privileges. Start with a NMap Scan:
Port 80 is open so let’s access the website. There is an apache default page. Let’s run gobuster against the website and see what we can find out.
THe webdav folder is accesible. We can try to login into it using default credentials. For that, we’ll use cadaver with the following credentials: User: wampp Pass: xampp
We can now upload our php shell, access the shell and receive the connection. Don’t forget to modify your IP and PORT in the php shell.
First set up the listener to wait for the connection to be received.
Access the shell now. The shell is located at 10.10.69.177/webdav/rev.php in my case. Update the name of the shell and IP to suit your needs.
We can read the user flag now.
After a bit of manual enumeration, we see that we can leverage cat to read the root flag because we can run it as root.
Let’s run the command and receive the root flag.
And boom, there it is. Hope you learned something new from this write up.