# Apache Conf Privilege Escalation

### [Investigation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/apache-conf-privilege-escalation/#investigation) <a href="#investigation" id="investigation"></a>

```bash
ls -al /etc/apache2

-rwxrwxrwx  1 root root  7094 NOV 7  2023 apache2.conf
Copied!
```

If we can modify the apache configuration file, we can update the web owner (www-data) to arbitrary user.

<br>

### [Exploitation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/apache-conf-privilege-escalation/#exploitation) <a href="#exploitation" id="exploitation"></a>

#### [1. Update Apache.Conf](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/apache-conf-privilege-escalation/#1.-update-apache.conf) <a href="#id-1.-update-apache.conf" id="id-1.-update-apache.conf"></a>

First modify “apache.conf” file to change the web user with new one.

```bash
# These need to be set in /etc/apache2/envvars
User www-data
Group www-data
Copied!
```

#### [2. Insert Reverse Shell Script](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/apache-conf-privilege-escalation/#2.-insert-reverse-shell-script) <a href="#id-2.-insert-reverse-shell-script" id="id-2.-insert-reverse-shell-script"></a>

In the web directory (e.g. `/var/www/html`), create the script to reverse shell.\
Assume the website uses PHP, so we can create “shell.php” in the web root and insert [PHP reverse shell](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php) script.

#### [3. Restart Apache Server](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/apache-conf-privilege-escalation/#3.-restart-apache-server) <a href="#id-3.-restart-apache-server" id="id-3.-restart-apache-server"></a>

#### [4. Get a Shell](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/apache-conf-privilege-escalation/#4.-get-a-shell) <a href="#id-4.-get-a-shell" id="id-4.-get-a-shell"></a>

We need to start a listener in local terminal.

```bash
nc -lvnp 1234
Copied!
```

Then access to the web page e.g. `https://example.com/shell.php`.

We should get a shell as the desired user.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/linux-privilege-escalation/apache-conf-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.