Enumeration
Starting with network reconnaissance:
nmap -v -sC -sV -oA nmap 10.10.153.21Only port 80 was discovered as open. Visiting the IP revealed a default Ubuntu Apache page with limited information. Directory enumeration was performed:
gobuster dir -u 10.10.153.21 -w /usr/share/wordlists/dirb/common.txt -t 20 -x .php,.txt,.htmA /webdav directory was identified, requiring authentication.
Exploitation
Default WebDAV credentials were discovered through research to be wampp:xampp. After authentication, the directory contained minimal content but revealed a password file. Using the cadaver tool, a reverse shell was uploaded:
cadaver http://10.10.153.21/webdavA reverse shell payload was placed in the WebDAV directory, then executed by accessing it through the web browser. A netcat listener was established to receive the connection.
Shell Improvement
The initial shell was upgraded:
python -c 'import pty; pty.spawn("/bin/bash");'Privilege Escalation
Checking sudo permissions revealed access to the cat command without a password requirement. The root flag was obtained:
sudo cat /root/root.txtThe flag was successfully retrieved, completing the challenge.