Dav

This engagement involved exploiting a WebDAV service with default credentials to achieve remote code execution, followed by privilege escalation through insecure sudo permissions.

Reconnaissance

Port scanning revealed a single exposed service:

HTTP (Apache 2.4.18)

The default Apache page suggested further enumeration was required.

Initial Findings

Directory enumeration revealed a protected /webdav endpoint using Basic Authentication.

Default credentials (wampp:xampp) allowed access to the service.

Key Finding: Insecure WebDAV Configuration

The WebDAV service was exposed with default credentials and allowed file uploads, enabling attackers to write arbitrary files to the server.

Exploitation

Authenticated access allowed file uploads to the server. A PHP reverse shell was uploaded and executed, resulting in a shell as www-data.

curl -u wampp:xampp -T rev.php http://target/webdav/rev.php

Privilege Escalation

Sudo permissions allowed execution of /bin/cat as root without a password:

sudo cat /root/root.txt

This resulted in full root access.

Impact

This chain allowed unauthenticated attackers to achieve remote code execution and escalate privileges to root.

In a real-world environment, this would enable full system compromise, data exfiltration, and persistent access to the infrastructure.

Key Takeaways

Default credentials create immediate attack vectors
WebDAV should be secured or disabled if unnecessary
File uploads can easily lead to RCE
Sudo permissions must be tightly restricted
Small misconfigurations can chain into full compromise