Skip to main contentSkip to main content
The Red Raffle banner icon.

The Jr Pentester Path just got rebuilt. Complete rooms, earn tickets, and win a free PT1 cert.

Room Banner
Back to all walkthroughs
Room Icon

Web Server Attacks - II

Premium room

Attack IIS through fingerprinting, tilde enumeration, WebDAV shell upload, and learn automation.

medium

60 min

2

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

is installed on virtually every Windows Server running a web application, intranet portal, or . Unlike standalone web servers, is tightly integrated with Windows authentication, Active Directory, and the .NET runtime, which makes it a high-value initial access target.

The Lazarus Group exploited servers in 2023 to gain initial access and distribute malware (AhnLab ASEC, 2023 (opens in new tab)). HAFNIUM deployed ASPX web shells on during the Exchange ProxyLogon (opens in new tab) campaign in 2021. CISA Advisory AA23-074A (opens in new tab) documented multiple threat actors, including an group, exploiting a .NET deserialization vulnerability (-2019-18935) in Progress Telerik UI components hosted on U.S. government servers. The actors achieved remote code execution through w3wp.exe and dropped malicious DLLs for persistence. IIS misconfigurations and unpatched CVEs remain active attack surfaces across all these incidents.

This room is a continuation of our previous Web Server Attacks room, where we have gone through different servers deployable on an Ubuntu host. This room walks through the IIS attack chain from start to finish: fingerprinting the server, enumerating hidden files through a Windows quirk, uploading a shell through a misconfigured WebDAV directory, and identifying common server misconfigurations that require no exploit code.

Learning Objectives

  • Fingerprint an IIS server to determine its version and enabled features
  • Use IIS tilde enumeration to discover hidden files and directories 
  • Exploit a misconfigured WebDAV installation to upload and execute an ASPX command shell
  • Understand how ASPX web shells work and what access they provide 
  • Learn automation techniques to fingerprint and enumerate an IIS server

Prerequisites

  • How HTTP requests and responses work, including headers, methods, and status codes (HTTP in Detail room)
  • Comfortably running tools from a Kali or AttackBox terminal (Linux Shells room)
  • Understanding of IP addresses, ports, and TCP connections (Networking Essentials room)

Machine Access

Start the machine by clicking the Start Machine button below. Allow 2-3 minutes for to start fully, then access it using your AttackBox.

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting both your AttackBox (if you're not using your VPN) and Target Machines, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.
Attacker machine
Status:Off
Target machine
Status:Off
Answer the questions below

I have deployed the virtual machines!

We use cookies to ensure you get the best user experience. For more information see our cookie policy.