WebDAV

Sample Machines

Hack The Box: Granny (10.10.10.15)

Enumeration Tool

davtest

davtest -url http://10.10.10.15

Running this command will give you the result of what can be uploaded.

Upload

cadaver

cadaver http://10.10.10.15

Then you can do:

PUT x.txt

If some extensions are not allow, say .exe, you may try rename the filename to the allowed one first. For example, x.exe to x.txt. Then:

PUT x.txt
MOVE x.txt x.exe

Done.

IIS 6 WebDAV exploit

  • Good one script KO

  • But it works only for the first time!

PreviousShellshockNextIntroduction

Last updated